Holm Security Cloud Scanner can verify security best practices and security misconfigurations that contribute to the most common causes of security breaches within a vast list of Azure services.
There is also a set of plugins highlighting unused or misused services that could help save monthly Azure costs. Read more about these plugins in this article:
https://support.holmsecurity.com/hc/en-us/articles/7478410504476
Supported services
Here's the list of services that we currently support:
- Active Directory
- Advisor
- AI & ML
- API Management
- App Configuration
- App Service
- Application Gateway
- Automation
- Azure Policy
- Bastion
- Blob Service
- CDN Profiles
- Container Registry
- Cosmos DB
- Defender
- Event Grid
- Event Hubs
- File Service
- Front Door
- Key Vaults
- Key vaults
- Kubernetes Service
- Load Balancer
- Log Alerts
- Media Services
- Monitor
- MySQL Server
- Network Security Groups
- Network Watcher
- PostgreSQL Server
- Queue Service
- Recovery Service Vault
- Redis Cache
- Resource Group
- Resources
- SQL Databases
- SQL Server
- Security Center
- Service Bus
- Storage Accounts
- Subscription
- Table Service
- Virtual Machine Scale Set
- Virtual Machines
- Virtual Networks
Supported policies
Across the services, the following policies are scanned for:
- Active Directory - Allow Only Administrators to Create Security Groups
- Active Directory - Azure AD App Organisational Directory Access
- Active Directory - Enable Multi-Factor Authentication for Non-Privileged Users
- Active Directory - Enable Multi-Factor Authentication for Privileged Users
- Active Directory - Enable Security Defaults on Azure Active Directory
- Active Directory - Enforce multi-factor authentication for B2B guest users
- Active Directory - Ensure No Guest User
- Active Directory - Ensure trust location based on IP Policies are used
- Active Directory - Follow AD Recommendations
- Active Directory - Limit Guest User Permissions
- Active Directory - MFA Enabled for all users
- Active Directory - Minimum Password Length
- Active Directory - No Custom Owner Roles
- Active Directory - Password Requires Lowercase
- Active Directory - Password Requires Numbers
- Active Directory - Password Requires Symbols
- Active Directory - Password Requires Uppercase
- Active Directory - Restrict Application Registration for Non-Privileged Users
- Active Directory - Restrict Guest User Invitations
- Active Directory - Restrict Invitations to Administrators Only
- Active Directory - Restrict Office 365 Group Creation to Administrators Only
- Advisor - Active Advisor Recommendations
- AI & ML - Databricks Workspace DBFS Infrastructure Encryption
- AI & ML - Databricks Workspace Diagnostic Logs
- AI & ML - Databricks Workspace Has Tags
- AI & ML - Databricks Workspace Managed Disk CMK Encrypted
- AI & ML - Databricks Workspace Managed Services CMK Encrypted
- AI & ML - Databricks Workspace Secure Cluster
- AI & ML - Machine Learning Registry Has Tags
- AI & ML - Machine Learning Registry Public Access Disabled
- AI & ML - Machine Learning Workspace Diagnostic Logs
- AI & ML - Machine Learning Workspace Has Tags
- AI & ML - Machine Learning Workspace High Business Impact Enabled
- AI & ML - Machine Learning Workspace Public Access Disabled
- AI & ML - OpenAI Account CMK Encrypted
- AI & ML - OpenAI Account Diagnostic Logging Enabled
- AI & ML - OpenAI Account Has Tags
- AI & ML - OpenAI Account Managed Identity Enabled
- AI & ML - OpenAI Account Public Access Disabled
- AI & ML - Synapse Workspace AD Auth Enabled
- AI & ML - Synapse Workspace Diagnostic Logging Enabled
- AI & ML - Synapse Workspace Double Encryption Enabled
- AI & ML - Synapse Workspace Has Tags
- AI & ML - Synapse Workspace Managed Identity
- AI & ML - Synapse Workspace Private Endpoints
- All Parameters for Microsoft Defender for Cloud Default Policy Enabled',
- API Management - API Management Instance Has Tags
- API Management - API Management Instance Managed Identity
- App Configuration - App Configuration Access Key Authentication Disabled
- App Configuration - App Configuration Diagnostic Logs
- App Configuration - App Configuration Encryption At Rest with CMK
- App Configuration - App Configurations Has Tags
- App Configuration - App Configurations Managed Identity
- App Configuration - App Configurations Public Access
- App Service - Access Control Allow Credential Enabled
- App Service - App Service Access Restriction
- App Service - App Service Certificates Expiry
- App Service - App Service Diagnostic Logging Enabled
- App Service - App Service SCM Site Access Restriction
- App Service - Authentication Enabled
- App Service - Azure Keyvault is used to store secretes
- App Service - Client Certificates Enabled
- App Service - Disable FTP Deployments
- App Service - FTPS Only Access Enabled
- App Service - HTTP 2.0 Enabled
- App Service - HTTPS Only Enabled
- App Service - Identity Enabled
- App Service - Java Version
- App Service - NET Framework Version
- App Service - Node.js Version
- App Service - PHP Version
- App Service - Python Version
- App Service - Secure Azure Http Triggered Function
- App Service - TLS Version Check
- App Service - Web Apps Active Directory Enabled
- App Service - Web Apps Always On Enabled
- App Service - Web Apps Backup Enabled
- App Service - Web Apps Backup Retention Period
- App Service - Web Apps Insights Enabled
- App Service - Web Apps Private Endpoints Configured
- App Service - Web Apps Remote Debugging Disabled
- App Service - Web Apps Security Logging Enabled
- App Service - Web Apps VNet Integrated
- Application Gateway - Application Gateway Has Tags
- Application Gateway - Application Gateway HTTPS Listener
- Application Gateway - Application Gateway Request Body Inspection
- Application Gateway - Application Gateway Request Body Size
- Application Gateway - Application Gateway Security Logging Enabled
- Application Gateway - Application Gateway SSL Policy
- Application Gateway - Application Gateway WAF Enabled
- Application Gateway - Application Gateway WAF Prevention Mode Enabled
- Application Gateway - WAF Policy Has Tags
- Automation - Automation Account Approved Certificates Only
- Automation - Automation Account Diagnostic Logs
- Automation - Automation Account Encrypted Variables
- Automation - Automation Account Expired Webhooks
- Automation - Automation Account Has Tags
- Automation - Automation Account Managed Identity
- Automation - Automation Account Private Endpoints Configured
- Automation - Automation Account Public Access Disabled
- Automation - Automation Account Valid Source Controls
- Azure Policy - Resource Location Matches Resource Group
- Azure Policy - Resources Allowed Locations
- Bastion - Azure Bastion Host Exists
- Bastion - Bastion Host Diagnostic Logs Enabled
- Bastion - Bastion Host Has Tags
- Batch - Batch Account AAD Auth Enabled
- Batch - Batch Account CMK Encrypted
- Batch - Batch Account Diagnostic Logs
- Batch - Batch Account Has Tags
- Batch - Batch Account Managed Identity
- Batch - Batch Account Public Access
- Blob Service - Blob Container CMK Encrypted
- Blob Service - Blob Container Private Access
- Blob Service - Blob Service Immutable
- CDN Profiles - Detect Insecure Custom Origin
- CDN Profiles - Endpoint Logging Enabled
- Container Apps - Container Apps Authentication Enabled
- Container Apps - Container Apps External Network Access
- Container Apps - Container Apps Has Tags
- Container Apps - Container Apps HTTPS only
- Container Apps - Container Apps IP Restriction Configured
- Container Apps - Container Apps Managed Identity
- Container Apps - Container Apps Volume Mount Configured
- Container Registry - ACR Admin User
- Container Registry - ACR Anonymous Pull Access Enabled
- Container Registry - ACR CMK Encryption
- Container Registry - ACR Content Trust Enabled
- Container Registry - ACR Has Tags
- Container Registry - ACR Log Analytics Enabled
- Container Registry - ACR Managed Identity Enabled
- Container Registry - ACR Public Access
- Container Registry - ACR Trusted Services Enabled
- Cosmos DB - Advanced Threat Protection Enabled
- Cosmos DB - Automatic Failover Enabled
- Cosmos DB - Cosmos DB Diagnostic Logs
- Cosmos DB - Cosmos DB Has Tags
- Cosmos DB - Cosmos DB Local Authentication Disabled
- Cosmos DB - Cosmos DB Managed Identity
- Cosmos DB - Cosmos DB Public Access Disabled
- Defender - Admin Security Alerts Enabled
- Defender - Application Whitelisting Enabled
- Defender - Auto Provisioning Enabled
- Defender - Enable Defender Endpoint Integration
- Defender - Enable Defender For APIs
- Defender - Enable Defender For App Services
- Defender - Enable Defender for App Services
- Defender - Enable Defender For Containers
- Defender - Enable Defender For Cosmos DBs
- Defender - Enable Defender For CSPM
- Defender - Enable Defender For DNS
- Defender - Enable Defender For Key Vaults
- Defender - Enable Defender For Open Source Relational Databases
- Defender - Enable Defender For Resource Manager
- Defender - Enable Defender for SQL Server Virtual Machines
- Defender - Enable Defender For SQL Servers
- Defender - Enable Defender For SQL Servers On Machines
- Defender - Enable Defender For Storage
- Defender - Enable Defender For Virtual Machines
- Defender - High Severity Alerts Enabled
- Defender - High Severity Alerts Enabled
- Defender - Monitor Adaptive Application Safe listing
- Defender - Monitor Blob Encryption
- Defender - Monitor Disk Encryption
- Defender - Monitor Endpoint Protection
- Defender - Monitor External Accounts with Write Permissions
- Defender - Monitor IP Forwarding
- Defender - Monitor JIT Network Access
- Defender - Monitor Next Generation Firewall
- Defender - Monitor NSG Enabled
- Defender - Monitor SQL Auditing
- Defender - Monitor SQL Encryption
- Defender - Monitor System Updates
- Defender - Monitor Total Number of Subscription Owners
- Defender - Monitor VM Vulnerability
- Defender - Security Configuration Monitoring
- Defender - Security Contact Additional Email
- Defender - Security Contact Enabled for Subscription Owner
- Defender - Security Contacts Enabled
- Defender - Standard Pricing Enabled
- Defender - Web Application Firewall Monitoring Enabled
- Ensure that legacy authentication methods policies are not supported',
- Event Grid - Event Grid Domain Diagnostic Logs
- Event Grid - Event Grid Domain Local Authentication Disabled
- Event Grid - Event Grid Domain Managed Identity
- Event Grid - Event Grid Domain Minimum TLS Version
- Event Grid - Event Grid Domain Public Access
- Event Hubs - Event Hub Namespace Local Auth Disabled
- Event Hubs - Event Hub Public Access
- Event Hubs - Event Hubs Minimum TLS Version
- Event Hubs - Event Hubs Namespace Auto-Inflate Enabled
- Event Hubs - Event Hubs Namespace CMK Encrypted
- Event Hubs - Event Hubs Namespace Diagnostic Logs
- Event Hubs - Event Hubs Namespace Has Tags
- Event Hubs - Event Hubs Namespace Managed Identity
- File Service - File Service All Access ACL
- Front Door - Front Door Access Logs Enabled
- Front Door - Front Door Azure Managed DNS
- Front Door - Front Door HTTPS only
- Front Door - Front Door Managed Identity Enabled
- Front Door - Front Door Minimum TLS Version
- Front Door - Front Door Request Body Inspection
- Front Door - Front Door Security Logging Enabled
- Front Door - Front Door WAF Bot Protection
- Front Door - Front Door WAF Detection Mode
- Front Door - Front Door Waf Enabled
- Front Door - Front Door WAF Latest Default Rule Set
- Front Door - Front Door WAF Rate limit
- Key Vaults - Allowed Certificates Key Types
- Key Vaults - App Tier CMK In Use
- Key Vaults - Database Tier CMK In Use
- Key vaults - Enable Audit Event Logging for Azure Key Vaults
- Key Vaults - Enable Certificate Transparency
- Key Vaults - Key Expiration Enabled
- Key Vaults - Key Vault Has Tags
- Key Vaults - Key Vault In Use
- Key Vaults - Key Vault Key Expiry
- Key Vaults - Key Vault Log Analytics Enabled
- Key Vaults - Key Vault Recovery Enabled
- Key Vaults - Key Vault Restrict Default Network Access
- Key Vaults - Key Vault Secret Expiry
- Key Vaults - Key Vaults Private Endpoint
- Key Vaults - KeyVault Trusted Services Enabled
- Key Vaults - Manage Key Access and Permissions
- Key Vaults - Non RBAC Key Expiration Enabled
- Key Vaults - Non RBAC Secret Expiration Enabled
- Key Vaults - RBAC Key Expiration Enabled
- Key Vaults - RBAC Secret Expiration Enabled
- Key Vaults - RSA Certificate Allowed Key Size
- Key Vaults - Secret Expiration Enabled
- Key Vaults - SSL Certificate Auto Renewal
- Kubernetes Service - AKS API Server Authorized IP Ranges
- Kubernetes Service - AKS Cluster Diagnostic Logs
- Kubernetes Service - AKS Cluster Has Tags
- Kubernetes Service - AKS Cluster Host Based Encryption
- Kubernetes Service - AKS Cluster Managed Identity Enabled
- Kubernetes Service - AKS Cluster Private
- Kubernetes Service - AKS Encryption At Rest with BYOK
- Kubernetes Service - Kubernetes Latest Version
- Kubernetes Service - Kubernetes RBAC Enabled
- Kubernetes Service - Kubernetes Version For Agent Pools
- Load Balancer - Application Gateway Has Tags
- Load Balancer - LB HTTPS Only
- Load Balancer - LB No Instances
- Load Balancer - Load Balancer Has Tags
- Load Balancer - Load Balancer Log Analytics Enabled
- Load Balancer - Load Balancer Public IP
- Log Alerts - Key Vault Logging Enabled
- Log Alerts - Load Balancers Logging Enabled
- Log Alerts - MySQL Flexible Server Logging Enabled
- Log Alerts - Network Security Groups Logging Enabled
- Log Alerts - Network Security Groups Rule Logging Enabled
- Log Alerts - Policy Assignment Alerts Enabled
- Log Alerts - PostgreSQL Flexible Server Logging Enabled
- Log Alerts - PostgreSQL Server Database Logging Enabled
- Log Alerts - Public Ip Address Logging Enabled
- Log Alerts - Security Policy Alerts Enabled
- Log Alerts - Security Solution Logging
- Log Alerts - SQL Server Database Logging Enabled
- Log Alerts - SQL Server Database Rename Alert Enabled
- Log Alerts - SQL Server Firewall Rule Alerts Monitor
- Log Alerts - Storage Account Logging Enabled
- Log Alerts - Virtual Machine Deallocate Alert Enabled
- Log Alerts - Virtual Machine Logging Enabled
- Log Alerts - Virtual Machine Power Off Alert Enabled
- Log Alerts - Virtual Network Alerts Monitor
- Media Services - Media Services Classic API Disabled
- Media Services - Media Services Content Key Policy
- Media Services - Media Services Diagnostic Logs Enabled
- Media Services - Media Services Managed Identity Enabled
- Media Services - Media Services Public Access Disabled
- Media Services - Media Services Storage Account Managed Identity
- Monitor - Azure Monitor Logs Enabled
- Monitor - Diagnostics Captured Categories
- Monitor - Diagnostics Settings Enabled
- Monitor - Log Analytics Public Workspace
- Monitor - Log Profile Archive Data
- Monitor - Log Profile Retention Policy
- MySQL Server - Enforce MySQL SSL Connection
- MySQL Server - Machine Learning Workspace CMK Encrypted
- MySQL Server - MySQL Flexible Server Data CMK Encrypted
- MySQL Server - MySQL Flexible Server Diagnostic Logs
- MySQL Server - MySQL Flexible Server Has Tags
- MySQL Server - MySQL Flexible Server Managed Identity
- MySQL Server - MySQL Flexible Server Minimum TLS Version
- MySQL Server - MySQL Flexible Server Public Access
- MySQL Server - MySQL Flexible Server Version
- MySQL Server - MySQL Server Has Tags
- Network Security Groups - Check for Unrestricted ICMP Access
- Network Security Groups - Default Security Group
- Network Security Groups - Excessive Security Groups
- Network Security Groups - NSG Flow Logs Enabled
- Network Security Groups - NSG Flow Logs Retention Period
- Network Security Groups - NSG Log Analytics Enabled
- Network Security Groups - Open All Ports
- Network Security Groups - Open Cassandra Client
- Network Security Groups - Open Cassandra Internode
- Network Security Groups - Open Cassandra Monitoring
- Network Security Groups - Open Cassandra Thrift
- Network Security Groups - Open CIFS
- Network Security Groups - Open DNS
- Network Security Groups - Open Docker
- Network Security Groups - Open Elasticsearch
- Network Security Groups - Open FTP
- Network Security Groups - Open Hadoop HDFS NameNode Metadata Service
- Network Security Groups - Open Hadoop HDFS NameNode WebUI
- Network Security Groups - Open HTTP
- Network Security Groups - Open HTTPS
- Network Security Groups - Open Internal Web
- Network Security Groups - Open Kibana
- Network Security Groups - Open LDAP
- Network Security Groups - Open LDAPS
- Network Security Groups - Open Memcached
- Network Security Groups - Open MongoDB
- Network Security Groups - Open MySQL
- Network Security Groups - Open NetBIOS
- Network Security Groups - Open Oracle
- Network Security Groups - Open Oracle Auto Data Warehouse
- Network Security Groups - Open PostgreSQL
- Network Security Groups - Open RDP
- Network Security Groups - Open Redis
- Network Security Groups - Open RPC
- Network Security Groups - Open Salt
- Network Security Groups - Open SMBoTCP
- Network Security Groups - Open SMTP
- Network Security Groups - Open SNMP
- Network Security Groups - Open SQLServer
- Network Security Groups - Open SSH
- Network Security Groups - Open Telnet
- Network Security Groups - Open UDP Ports
- Network Security Groups - Open VNC Client
- Network Security Groups - Open VNC Server
- Network Security Groups - Review Network Interfaces with IP Forwarding Enabled
- Network Watcher - Network Watcher Enabled
- PostgreSQL Server - Azure Active Directory Admin Configured
- PostgreSQL Server - Connection Throttling Enabled
- PostgreSQL Server - Enable Geo-Redundant Backups
- PostgreSQL Server - Enforce PostgreSQL SSL Connection
- PostgreSQL Server - Log Checkpoints Enabled
- PostgreSQL Server - Log Connections Enabled
- PostgreSQL Server - Log Disconnections Enabled
- PostgreSQL Server - Log Duration Enabled
- PostgreSQL Server - Log Retention Period
- PostgreSQL Server - PostgreSQL Diagnostic Logging Enabled
- PostgreSQL Server - PostgreSQL Encryption At Rest with BYOK
- PostgreSQL Server - PostgreSQL Flexible Server Advanced Threat Protection
- PostgreSQL Server - PostgreSQL Flexible Server Connection Throttling Enabled
- PostgreSQL Server - PostgreSQL Flexible Server Diagnostic Logging
- PostgreSQL Server - PostgreSQL Flexible Server Log Disconnections Enabled
- PostgreSQL Server - PostgreSQL FLexible Server Log Duration Enabled
- PostgreSQL Server - PostgreSQL Flexible Server SCRAM Enabled
- PostgreSQL Server - PostgreSQL Flexible Server Services Access Disabled
- PostgreSQL Server - PostgreSQL Flexible Server Version
- PostgreSQL Server - PostgreSQL Flexible Server VNet Integrated
- PostgreSQL Server - PostgreSQL Infrastructure Double Encryption
- PostgreSQL Server - PostgreSQL Minimum TLS Version
- PostgreSQL Server - PostgreSQL Server Has Tags
- PostgreSQL Server - PostgreSQL Server Private Endpoints Configured
- PostgreSQL Server - PostgreSQL Server Services Access Disabled
- PostgreSQL Server - Private DNS Zone Integrated
- PostgreSQL Server - Storage Auto-Growth Enabled
- Queue Service - Queue Service All Access ACL
- Recovery Service Vault - Recovery Services Vault BYOK Encrypted
- Recovery Service Vault - Recovery Services Vault Logging Enabled
- Redis Cache - Minimum TLS Version
- Redis Cache - Redis Cache Diagnostic Logs Enabled
- Redis Cache - Redis Cache Has Tags
- Redis Cache - Redis Cache Managed Identity Enabled
- Redis Cache - Redis Cache Private Endpoint
- Redis Cache - Redis Cache Scheduled Updates
- Redis Cache - Redis Cache VNet Integrated
- Redis Cache - Redis Version
- Redis Cache - SSL Access Only Enabled
- Resource Group - Resource Group Has Tags
- Resources - Management Lock Enabled
- Resources - Monitor Resource SKU
- Resources - Resources Usage Limits
- Security Center - Security Contact Additional Email
- Security Center - Security Contact Enabled for Subscription Owner
- Service Bus - Namespace Encryption At Rest with CMK
- Service Bus - Namespace Infrastructure Encryption Enabled
- Service Bus - Namespace Local Authentication Disabled
- Service Bus - Namespace Logging Enabled
- Service Bus - Namespace Managed Identity
- Service Bus - Namespace Minimum TLS Version
- Service Bus - Namespace Public Access
- Service Bus - Service Bus Namespace Has Tags
- SQL Databases - Database Auditing Enabled
- SQL Databases - Database Ledger Enabled
- SQL Databases - Database Private Link Enabled
- SQL Databases - Database Secure Enclaves Encryption Enabled
- SQL Databases - DB Restorable
- SQL Databases - Ledger Automatic Digest Storage
- SQL Databases - Point in Time Restore Backup Retention
- SQL Databases - SQL Database Data Discovery and Classification
- SQL Databases - SQL Database Diagnostic Logging Enabled
- SQL Databases - SQL Databases Data Masking Enabled
- SQL Databases - SQL DB Multiple AZ
- SQL Databases - Transparent Data Encryption Enabled
- SQL Server - Advanced Data Security Enabled
- SQL Server - Audit Action Groups Enabled
- SQL Server - Audit Retention Policy
- SQL Server - Auditing Storage Authentication Type
- SQL Server - Auto-Failover Groups Enabled
- SQL Server - Azure Active Directory Admin Enabled
- SQL Server - Email Account Admins Enabled
- SQL Server - Microsoft Support Operations Auditing Enabled
- SQL Server - Send Alerts Enabled
- SQL Server - Server Auditing Enabled
- SQL Server - Server Outbound Networking Restricted
- SQL Server - Server Send Email to Admin and Owners
- SQL Server - SQL Server Advanced Threat Protection Enabled
- SQL Server - SQL Server Automatic Tuning Enabled
- SQL Server - SQL Server Connection Policy
- SQL Server - SQL Server Has Tags
- SQL Server - SQL Server Managed Identity Enabled
- SQL Server - SQL Server Minimum TLS Version
- SQL Server - SQL Server Private Endpoints Configured
- SQL Server - SQL Server Public Access
- SQL Server - SQL Server Recurring Scans Enabled
- SQL Server - SQL Server Send Scan Reports
- SQL Server - SQL Server Services Access Disabled
- SQL Server - SQL Server VNet Rules Integrated
- SQL Server - TDE Protector Encrypted
- SQL Server - Vulnerability Assessment (VA) is enabled on a SQL server
- Storage Accounts - Blob Service Encryption
- Storage Accounts - Blob Storage Lifecycle Management Enabled
- Storage Accounts - Blobs Soft Deletion Enabled
- Storage Accounts - Disable Shared Key authorization
- Storage Accounts - Enable Secure Transfer in Storage Accounts
- Storage Accounts - Ensure that Logging for Azure Storage Queue Service inabled',
- Storage Accounts - Expire Shared Access Signature Tokens
- Storage Accounts - File Service Encryption
- Storage Accounts - Infrastructure Encryption Enabled
- Storage Accounts - Limit Storage Account Access by IP Address
- Storage Accounts - Log Container Public Access
- Storage Accounts - Log Storage Encryption
- Storage Accounts - Logging for Azure Storage Blob Service Enabled
- Storage Accounts - Logging for Azure Storage Table Service Enabled
- Storage Accounts - Network Access Default Action
- Storage Accounts - Publicly Accessible Web Containers
- Storage Accounts - Regenerate Storage Account Access Keys Periodically
- Storage Accounts - Storage Account Blob Service Logging Enabled
- Storage Accounts - Storage Account Has Tags
- Storage Accounts - Storage Account Private Endpoints
- Storage Accounts - Storage Account Queue Service Logging Enabled
- Storage Accounts - Storage Account Table Service Logging Enabled
- Storage Accounts - Storage Accounts AAD Enabled
- Storage Accounts - Storage Accounts Encryption
- Storage Accounts - Storage Accounts HTTPS
- Storage Accounts - Storage Accounts Minimum TLS Version
- Storage Accounts - Storage Accounts with Static Website Configuration
- Storage Accounts - Sufficient Soft Deleted Data Retention Period
- Storage Accounts - Trusted MS Access Enabled
- Subscription - Azure Subscription Has Tags
- Table Service - Table Service All Access ACL
- Virtual Machine Scale Set - Automatic Instance Repairs Enabled
- Virtual Machine Scale Set - Automatic OS Upgrades Enabled
- Virtual Machine Scale Set - Health Monitoring Extension HTTPS Enabled
- Virtual Machine Scale Set - No Empty Scale Sets
- Virtual Machine Scale Set - Scale Set Multi Az
- Virtual Machine Scale Set - Scale Sets AD Authentication Enabled
- Virtual Machine Scale Set - Scale Sets Autoscale Enabled
- Virtual Machine Scale Set - Scale Sets Autoscale Notifications Enabled
- Virtual Machine Scale Set - Scale Sets Boot Diagnostics Enabled
- Virtual Machine Scale Set - Scale Sets Health Monitoring Enabled
- Virtual Machine Scale Set - Scale Sets Secure Boot Enabled
- Virtual Machine Scale Set - Scale Sets Trusted Launch Enabled
- Virtual Machine Scale Set - Scale Sets vTPM Enabled
- Virtual Machine Scale Set - VM Scale Set Approved Extensions
- Virtual Machine Scale Set - VM Scale Set Has Tags
- Virtual Machine Scale Set - VM Scale Set Managed Identity Enabled
- Virtual Machine Scale Set - VMSS Windows AntiMalware Extension
- Virtual Machines - Accelerated Networking Enabled
- Virtual Machines - Associated Load Balancers
- Virtual Machines - Classic Instances
- Virtual Machines - Compute Gallery RBAC Sharing
- Virtual Machines - Disk Volumes BYOK Encryption Enabled
- Virtual Machines - Guest Level Diagnostics Enabled
- Virtual Machines - Managed VM Machine Image
- Virtual Machines - Network Exposure
- Virtual Machines - No Unattached Disk Volumes
- Virtual Machines - Old VM Disk Snapshots
- Virtual Machines - Password Authentication Disabled
- Virtual Machines - Premium SSD Disabled
- Virtual Machines - Server-Side Encryption for Non-Boot Disk using CMK
- Virtual Machines - Server-Side Encryption for unattached disk is using CMK
- Virtual Machines - Server-Side Encryption for VM Boot Disk using CMK
- Virtual Machines - Snapshot Has Tags
- Virtual Machines - Unattached Disk Volumes with Default Encryption
- Virtual Machines - Virtual Machine Boot Diagnostics Enabled
- Virtual Machines - Virtual Machine Has Tags
- Virtual Machines - Virtual Machine Performance Diagnostics Enabled
- Virtual Machines - VM Active Directory (AD) Authentication Enabled
- Virtual Machines - VM Agent Enabled
- Virtual Machines - VM Approved Extensions
- Virtual Machines - VM Auto Update Enabled
- Virtual Machines - VM Auto-Shutdown Enabled
- Virtual Machines - VM Availability Set Enabled
- Virtual Machines - VM Availability Set Limit
- Virtual Machines - VM Backups Enabled
- Virtual Machines - VM Daily Backup Retention Period
- Virtual Machines - VM Data Disk Encryption
- Virtual Machines - VM Desired SKU Size
- Virtual Machines - VM Disk CMK Rotation
- Virtual Machines - VM Disk Double Encryption
- Virtual Machines - VM Disk Has Tags
- Virtual Machines - VM Disk Public Access
- Virtual Machines - VM Disk Snapshot BYOK Encryption Enabled
- Virtual Machines - VM Disk Snapshot Public Access Disabled
- Virtual Machines - VM Disks Deletion Config
- Virtual Machines - VM Encryption At Host
- Virtual Machines - VM Endpoint Protection
- Virtual Machines - VM Image Has Tags
- Virtual Machines - VM Instance Limit
- Virtual Machines - VM Instant Restore Backup Retention Period
- Virtual Machines - VM Just-In-Time Access for Virtual Machines Enabled
- Virtual Machines - VM Managed Disks Enabled
- Virtual Machines - VM OS Disk Encryption
- Virtual Machines - VM Scale Set Has Tags
- Virtual Machines - VM Secure Boot Enabled
- Virtual Machines - VM Security Type
- Virtual Machines - VM System Managed Identity Enabled
- Virtual Machines - VM System-Assigned Identity Enabled
- Virtual Machines - VM vTPM Enabled
- Virtual Machines - VM Windows AntiMalware Extension
- Virtual Networks - DDoS Standard Protection Enabled
- Virtual Networks - Managed NAT Gateway In Use
- Virtual Networks - Multiple Subnets
- Virtual Networks - No Network Gateways Connections
- Virtual Networks - No Network Gateways In Use
- Virtual Networks - Public IP Address DDos Protection
- Virtual Networks - Route Table Has Tags
- Virtual Networks - Virtual Network Has Tags
- Virtual Networks - Virtual Network Peering
- Virtual Networks - Virtual Networks Logging Enabled
- Virtual Networks - VNET Flow Logs Enabled
- VM Instance Termination Notifications for Virtual Machine Scale Sets Enabled',