Azure Policy built-in definitions for Azure Resource Manager
This page is an index of Azure Policy built-in policy definitions for Azure Resource Manager. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure Resource Manager
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 |
Accounts with owner permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Accounts with read permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Accounts with write permissions on Azure resources should be MFA enabled | Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. | AuditIfNotExists, Disabled | 1.0.0 |
Activity log should be retained for at least one year | This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). | AuditIfNotExists, Disabled | 1.0.0 |
Add a tag to resource groups | Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. | modify | 1.0.0 |
Add a tag to subscriptions | Adds the specified tag and value to subscriptions via a remediation task. If the tag exists with a different value it will not be changed. See https://aka.ms/azurepolicyremediation for more information on policy remediation. | modify | 1.0.0 |
Add or replace a tag on resource groups | Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. | modify | 1.0.0 |
Add or replace a tag on subscriptions | Adds or replaces the specified tag and value on subscriptions via a remediation task. Existing resource groups can be remediated by triggering a remediation task. See https://aka.ms/azurepolicyremediation for more information on policy remediation. | modify | 1.0.0 |
Allowed locations for resource groups | This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. | deny | 1.0.0 |
An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 3.0.0 |
An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 |
Append a tag and its value to resource groups | Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). | append | 1.0.0 |
Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 |
Azure Defender for App Service should be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | AuditIfNotExists, Disabled | 1.0.3 |
Azure Defender for Azure SQL Database servers should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
Azure Defender for Key Vault should be enabled | Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | AuditIfNotExists, Disabled | 1.0.3 |
Azure Defender for open-source relational databases should be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | AuditIfNotExists, Disabled | 1.0.0 |
Azure Defender for Resource Manager should be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | AuditIfNotExists, Disabled | 1.0.0 |
Azure Defender for servers should be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | AuditIfNotExists, Disabled | 1.0.3 |
Azure Defender for SQL servers on machines should be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | AuditIfNotExists, Disabled | 1.0.2 |
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | AuditIfNotExists, Disabled | 1.0.0 |
Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | AuditIfNotExists, Disabled | 2.0.0 |
Azure Monitor solution 'Security and Audit' must be deployed | This policy ensures that Security and Audit is deployed. | AuditIfNotExists, Disabled | 1.0.0 |
Azure subscriptions should have a log profile for Activity Log | This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. | AuditIfNotExists, Disabled | 1.0.0 |
Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 |
Configure Azure Activity logs to stream to specified Log Analytics workspace | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Defender for App Service to be enabled | Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Azure Defender for Azure SQL database to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Azure Defender for open-source relational databases to be enabled | Azure Defender for open-source relational databases detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. Learn more about the capabilities of Azure Defender for open-source relational databases at https://aka.ms/AzDforOpenSourceDBsDocu. Important: Enabling this plan will result in charges for protecting your open-source relational databases. Learn about the pricing on Security Center's pricing page: https://aka.ms/pricing-security-center | DeployIfNotExists, Disabled | 1.0.0 |
Configure Azure Defender for Resource Manager to be enabled | Azure Defender for Resource Manager automatically monitors the resource management operations in your organization. Azure Defender detects threats and alerts you about suspicious activity. Learn more about the capabilities of Azure Defender for Resource Manager at https://aka.ms/defender-for-resource-manager . Enabling this Azure Defender plan results in charges. Learn about the pricing details per region on Security Center's pricing page: https://aka.ms/pricing-security-center . | DeployIfNotExists, Disabled | 1.1.0 |
Configure Azure Defender for servers to be enabled | Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Azure Defender for SQL servers on machines to be enabled | Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. | DeployIfNotExists, Disabled | 1.0.1 |
Configure basic Microsoft Defender for Storage to be enabled (Activity Monitoring only) | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable the basic Defender for Storage capabilities (Activity Monitoring). To enable full protection, which also includes On-upload Malware Scanning and Sensitive Data Threat Detection use the full enablement policy: aka.ms/DefenderForStoragePolicy. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | DeployIfNotExists, Disabled | 1.1.0 |
Configure disaster recovery on virtual machines by enabling replication via Azure Site Recovery | Virtual machines without disaster recovery configurations are vulnerable to outages and other disruptions. If the virtual machine does not already have disaster recovery configured, this would initiate the same by enabling replication using preset configurations to facilitate business continuity. You can optionally include/exclude virtual machines containing a specified tag to control the scope of assignment. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | DeployIfNotExists, Disabled | 2.1.0 |
Configure Log Analytics workspace and automation account to centralize logs and monitoring | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking. | DeployIfNotExists, AuditIfNotExists, Disabled | 2.0.0 |
Configure Microsoft Defender CSPM plan | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Microsoft Defender CSPM to be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | DeployIfNotExists, Disabled | 1.0.2 |
Configure Microsoft Defender for Azure Cosmos DB to be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Microsoft Defender for Containers plan | New capabilities are continuously being added to Defender for Containers plan, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Microsoft Defender for Containers to be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | DeployIfNotExists, Disabled | 1.0.1 |
Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_EXCLUDE_LINUX...) | Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_EXCLUDE_LINUX_...), for enabling auto provisioning of MDE for Linux servers. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP_UNIFIED_SOLUTION) | Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP_UNIFIED_SOLUTION), for enabling auto provisioning of MDE Unified Agent for Windows Server 2012R2 and 2016. WDATP setting must be turned on for this setting to be applied. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP) | Configures the Microsoft Defender for Endpoint integration settings, within Microsoft Defender for Cloud (also known as WDATP), for Windows downlevel machines onboarded to MDE via MMA, and auto provisioning of MDE on Windows Server 2019 , Windows Virtual Desktop and above. Must be turned on in order for the other settings (WDATP_UNIFIED, etc.) to work. See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Microsoft Defender for Key Vault plan | Microsoft Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. | DeployIfNotExists, Disabled | 1.1.0 |
Configure Microsoft Defender for Servers plan | New capabilities are continuously being added to Defender for Servers, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. | DeployIfNotExists, Disabled | 1.0.0 |
Configure Microsoft Defender for Storage (Classic) to be enabled | Microsoft Defender for Storage (Classic) provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. | DeployIfNotExists, Disabled | 1.0.2 |
Configure Microsoft Defender for Storage to be enabled | Microsoft Defender for Storage is an Azure-native layer of security intelligence that detects potential threats to your storage accounts. This policy will enable all Defender for Storage capabilities; Activity Monitoring, Malware Scanning and Sensitive Data Threat Detection. To learn more about Defender for Storage capabilities and benefits, visit aka.ms/DefenderForStorage. | DeployIfNotExists, Disabled | 1.4.0 |
Configure Microsoft Defender threat protection for AI workloads | New capabilities are continuously being added to threat protection for AI workloads, which may require the user's explicit enablement. Use this policy to make sure all new capabilities will be enabled. | DeployIfNotExists, Disabled | 1.0.0 |
Configure subscriptions to set up preview features | This policy evaluates existing subscription's preview features. Subscriptions can be remediated to register to a new preview feature. New subscriptions will not be automatically registered. | AuditIfNotExists, DeployIfNotExists, Disabled | 1.0.1 |
Deploy - Configure suppression rules for Azure Security Center alerts | Suppress Azure Security Center alerts to reduce alerts fatigue by deploying suppression rules on your management group or subscription. | deployIfNotExists | 1.0.0 |
Deploy export to Event Hub as a trusted service for Microsoft Defender for Cloud data | Enable export to Event Hub as a trusted service of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub as a trusted service configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | DeployIfNotExists, Disabled | 1.0.0 |
Deploy export to Event Hub for Microsoft Defender for Cloud data | Enable export to Event Hub of Microsoft Defender for Cloud data. This policy deploys an export to Event Hub configuration with your conditions and target Event Hub on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 4.2.0 |
Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 4.1.0 |
Deploy Workflow Automation for Microsoft Defender for Cloud alerts | Enable automation of Microsoft Defender for Cloud alerts. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 5.0.1 |
Deploy Workflow Automation for Microsoft Defender for Cloud recommendations | Enable automation of Microsoft Defender for Cloud recommendations. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 5.0.1 |
Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance | Enable automation of Microsoft Defender for Cloud regulatory compliance. This policy deploys a workflow automation with your conditions and triggers on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | deployIfNotExists | 5.0.1 |
Email notification for high severity alerts should be enabled | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 1.2.0 |
Email notification to subscription owner for high severity alerts should be enabled | To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. | AuditIfNotExists, Disabled | 2.1.0 |
Enable Microsoft Defender for Cloud on your subscription | Identifies existing subscriptions that aren't monitored by Microsoft Defender for Cloud and protects them with Defender for Cloud's free features. Subscriptions already monitored will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment, and create a remediation task. | deployIfNotExists | 1.0.1 |
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. | Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. | DeployIfNotExists, Disabled | 1.0.0 |
Enable threat protection for AI workloads | Microsoft threat protection for AI workloads provides contextualized, evidence-based security alerts aimed at protecting home grown Generative AI powered applications | DeployIfNotExists, Disabled | 1.0.0 |
Exclude Usage Costs Resources | This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. | Audit, Deny, Disabled | 1.0.0 |
Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 |
Microsoft Defender CSPM should be enabled | Defender Cloud Security Posture Management (CSPM) provides enhanced posture capabilities and a new intelligent cloud security graph to help identify, prioritize, and reduce risk. Defender CSPM is available in addition to the free foundational security posture capabilities turned on by default in Defender for Cloud. | AuditIfNotExists, Disabled | 1.0.0 |
Microsoft Defender for APIs should be enabled | Microsoft Defender for APIs brings new discovery, protection, detection, & response coverage to monitor for common API based attacks & security misconfigurations. | AuditIfNotExists, Disabled | 1.0.3 |
Microsoft Defender for Azure Cosmos DB should be enabled | Microsoft Defender for Azure Cosmos DB is an Azure-native layer of security that detects attempts to exploit databases in your Azure Cosmos DB accounts. Defender for Azure Cosmos DB detects potential SQL injections, known bad actors based on Microsoft Threat Intelligence, suspicious access patterns, and potential exploitations of your database through compromised identities or malicious insiders. | AuditIfNotExists, Disabled | 1.0.0 |
Microsoft Defender for Containers should be enabled | Microsoft Defender for Containers provides hardening, vulnerability assessment and run-time protections for your Azure, hybrid, and multi-cloud Kubernetes environments. | AuditIfNotExists, Disabled | 1.0.0 |
Microsoft Defender for Storage should be enabled | Microsoft Defender for Storage detects potential threats to your storage accounts. It helps prevent the three major impacts on your data and workload: malicious file uploads, sensitive data exfiltration, and data corruption. The new Defender for Storage plan includes Malware Scanning and Sensitive Data Threat Detection. This plan also provides a predictable pricing structure (per storage account) for control over coverage and costs. | AuditIfNotExists, Disabled | 1.0.0 |
Require a tag and its value on resource groups | Enforces a required tag and its value on resource groups. | deny | 1.0.0 |
Require a tag on resource groups | Enforces existence of a tag on resource groups. | deny | 1.0.0 |
Setup subscriptions to transition to an alternative vulnerability assessment solution | Microsoft Defender for cloud offers vulnerability scanning for your machines at no extra cost. Enabling this policy will cause Defender for Cloud to automatically propagate the findings from the built-in Microsoft Defender vulnerability management solution to all supported machines. | DeployIfNotExists, Disabled | 1.0.0-preview |
Subscriptions should have a contact email address for security issues | To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. | AuditIfNotExists, Disabled | 1.0.1 |
There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.