Microsoft Azure

What cloud services are supported for Azure?

Holm Security Cloud Scanner can verify security best practices and security misconfigurations that contribute to the most common causes of security breaches within a vast list of Azure services.

There is also a set of plugins highlighting unused or misused services that could help save monthly Azure costs. Read more about these plugins in this article:

https://support.holmsecurity.com/hc/en-us/articles/7478410504476

Supported services

Here's the list of services that we currently support:

  • Active Directory
  • Advisor
  • AI & ML
  • API Management
  • App Configuration
  • App Service
  • Application Gateway
  • Automation
  • Azure Policy
  • Bastion
  • Blob Service
  • CDN Profiles
  • Container Registry
  • Cosmos DB
  • Defender
  • Event Grid
  • Event Hubs
  • File Service
  • Front Door
  • Key Vaults
  • Key vaults
  • Kubernetes Service
  • Load Balancer
  • Log Alerts
  • Media Services
  • Monitor
  • MySQL Server
  • Network Security Groups
  • Network Watcher
  • PostgreSQL Server
  • Queue Service
  • Recovery Service Vault
  • Redis Cache
  • Resource Group
  • Resources
  • SQL Databases
  • SQL Server
  • Security Center
  • Service Bus
  • Storage Accounts
  • Subscription
  • Table Service
  • Virtual Machine Scale Set
  • Virtual Machines
  • Virtual Networks


Supported policies

Across the services, the following policies are scanned for: 

  • Active Directory - Allow Only Administrators to Create Security Groups
  • Active Directory - Azure AD App Organisational Directory Access
  • Active Directory - Enable Multi-Factor Authentication for Non-Privileged Users
  • Active Directory - Enable Multi-Factor Authentication for Privileged Users
  • Active Directory - Enable Security Defaults on Azure Active Directory
  • Active Directory - Enforce multi-factor authentication for B2B guest users
  • Active Directory - Ensure No Guest User
  • Active Directory - Ensure trust location based on IP Policies are used
  • Active Directory - Follow AD Recommendations
  • Active Directory - Limit Guest User Permissions
  • Active Directory - MFA Enabled for all users
  • Active Directory - Minimum Password Length
  • Active Directory - No Custom Owner Roles
  • Active Directory - Password Requires Lowercase
  • Active Directory - Password Requires Numbers
  • Active Directory - Password Requires Symbols
  • Active Directory - Password Requires Uppercase
  • Active Directory - Restrict Application Registration for Non-Privileged Users
  • Active Directory - Restrict Guest User Invitations
  • Active Directory - Restrict Invitations to Administrators Only
  • Active Directory - Restrict Office 365 Group Creation to Administrators Only
  • Advisor - Active Advisor Recommendations
  • AI & ML - Databricks Workspace DBFS Infrastructure Encryption
  • AI & ML - Databricks Workspace Diagnostic Logs
  • AI & ML - Databricks Workspace Has Tags
  • AI & ML - Databricks Workspace Managed Disk CMK Encrypted
  • AI & ML - Databricks Workspace Managed Services CMK Encrypted
  • AI & ML - Databricks Workspace Secure Cluster
  • AI & ML - Machine Learning Registry Has Tags
  • AI & ML - Machine Learning Registry Public Access Disabled
  • AI & ML - Machine Learning Workspace Diagnostic Logs
  • AI & ML - Machine Learning Workspace Has Tags
  • AI & ML - Machine Learning Workspace High Business Impact Enabled
  • AI & ML - Machine Learning Workspace Public Access Disabled
  • AI & ML - OpenAI Account CMK Encrypted
  • AI & ML - OpenAI Account Diagnostic Logging Enabled
  • AI & ML - OpenAI Account Has Tags
  • AI & ML - OpenAI Account Managed Identity Enabled
  • AI & ML - OpenAI Account Public Access Disabled
  • AI & ML - Synapse Workspace AD Auth Enabled
  • AI & ML - Synapse Workspace Diagnostic Logging Enabled
  • AI & ML - Synapse Workspace Double Encryption Enabled
  • AI & ML - Synapse Workspace Has Tags
  • AI & ML - Synapse Workspace Managed Identity
  • AI & ML - Synapse Workspace Private Endpoints
  • All Parameters for Microsoft Defender for Cloud Default Policy Enabled',
  • API Management - API Management Instance Has Tags
  • API Management - API Management Instance Managed Identity
  • App Configuration - App Configuration Access Key Authentication Disabled
  • App Configuration - App Configuration Diagnostic Logs
  • App Configuration - App Configuration Encryption At Rest with CMK
  • App Configuration - App Configurations Has Tags
  • App Configuration - App Configurations Managed Identity
  • App Configuration - App Configurations Public Access
  • App Service - Access Control Allow Credential Enabled
  • App Service - App Service Access Restriction
  • App Service - App Service Certificates Expiry
  • App Service - App Service Diagnostic Logging Enabled
  • App Service - App Service SCM Site Access Restriction
  • App Service - Authentication Enabled
  • App Service - Azure Keyvault is used to store secretes
  • App Service - Client Certificates Enabled
  • App Service - Disable FTP Deployments
  • App Service - FTPS Only Access Enabled
  • App Service - HTTP 2.0 Enabled
  • App Service - HTTPS Only Enabled
  • App Service - Identity Enabled
  • App Service - Java Version
  • App Service - NET Framework Version
  • App Service - Node.js Version
  • App Service - PHP Version
  • App Service - Python Version
  • App Service - Secure Azure Http Triggered Function
  • App Service - TLS Version Check
  • App Service - Web Apps Active Directory Enabled
  • App Service - Web Apps Always On Enabled
  • App Service - Web Apps Backup Enabled
  • App Service - Web Apps Backup Retention Period
  • App Service - Web Apps Insights Enabled
  • App Service - Web Apps Private Endpoints Configured
  • App Service - Web Apps Remote Debugging Disabled
  • App Service - Web Apps Security Logging Enabled
  • App Service - Web Apps VNet Integrated
  • Application Gateway - Application Gateway Has Tags
  • Application Gateway - Application Gateway HTTPS Listener
  • Application Gateway - Application Gateway Request Body Inspection
  • Application Gateway - Application Gateway Request Body Size
  • Application Gateway - Application Gateway Security Logging Enabled
  • Application Gateway - Application Gateway SSL Policy
  • Application Gateway - Application Gateway WAF Enabled
  • Application Gateway - Application Gateway WAF Prevention Mode Enabled
  • Application Gateway - WAF Policy Has Tags
  • Automation - Automation Account Approved Certificates Only
  • Automation - Automation Account Diagnostic Logs
  • Automation - Automation Account Encrypted Variables
  • Automation - Automation Account Expired Webhooks
  • Automation - Automation Account Has Tags
  • Automation - Automation Account Managed Identity
  • Automation - Automation Account Private Endpoints Configured
  • Automation - Automation Account Public Access Disabled
  • Automation - Automation Account Valid Source Controls
  • Azure Policy - Resource Location Matches Resource Group
  • Azure Policy - Resources Allowed Locations
  • Bastion - Azure Bastion Host Exists
  • Bastion - Bastion Host Diagnostic Logs Enabled
  • Bastion - Bastion Host Has Tags
  • Batch - Batch Account AAD Auth Enabled
  • Batch - Batch Account CMK Encrypted
  • Batch - Batch Account Diagnostic Logs
  • Batch - Batch Account Has Tags
  • Batch - Batch Account Managed Identity
  • Batch - Batch Account Public Access
  • Blob Service - Blob Container CMK Encrypted
  • Blob Service - Blob Container Private Access
  • Blob Service - Blob Service Immutable
  • CDN Profiles - Detect Insecure Custom Origin
  • CDN Profiles - Endpoint Logging Enabled
  • Container Apps - Container Apps Authentication Enabled
  • Container Apps - Container Apps External Network Access
  • Container Apps - Container Apps Has Tags
  • Container Apps - Container Apps HTTPS only
  • Container Apps - Container Apps IP Restriction Configured
  • Container Apps - Container Apps Managed Identity
  • Container Apps - Container Apps Volume Mount Configured
  • Container Registry - ACR Admin User
  • Container Registry - ACR Anonymous Pull Access Enabled
  • Container Registry - ACR CMK Encryption
  • Container Registry - ACR Content Trust Enabled
  • Container Registry - ACR Has Tags
  • Container Registry - ACR Log Analytics Enabled
  • Container Registry - ACR Managed Identity Enabled
  • Container Registry - ACR Public Access
  • Container Registry - ACR Trusted Services Enabled
  • Cosmos DB - Advanced Threat Protection Enabled
  • Cosmos DB - Automatic Failover Enabled
  • Cosmos DB - Cosmos DB Diagnostic Logs
  • Cosmos DB - Cosmos DB Has Tags
  • Cosmos DB - Cosmos DB Local Authentication Disabled
  • Cosmos DB - Cosmos DB Managed Identity
  • Cosmos DB - Cosmos DB Public Access Disabled
  • Defender - Admin Security Alerts Enabled
  • Defender - Application Whitelisting Enabled
  • Defender - Auto Provisioning Enabled
  • Defender - Enable Defender Endpoint Integration
  • Defender - Enable Defender For APIs
  • Defender - Enable Defender For App Services
  • Defender - Enable Defender for App Services
  • Defender - Enable Defender For Containers
  • Defender - Enable Defender For Cosmos DBs
  • Defender - Enable Defender For CSPM
  • Defender - Enable Defender For DNS
  • Defender - Enable Defender For Key Vaults
  • Defender - Enable Defender For Open Source Relational Databases
  • Defender - Enable Defender For Resource Manager
  • Defender - Enable Defender for SQL Server Virtual Machines
  • Defender - Enable Defender For SQL Servers
  • Defender - Enable Defender For SQL Servers On Machines
  • Defender - Enable Defender For Storage
  • Defender - Enable Defender For Virtual Machines
  • Defender - High Severity Alerts Enabled
  • Defender - High Severity Alerts Enabled
  • Defender - Monitor Adaptive Application Safe listing
  • Defender - Monitor Blob Encryption
  • Defender - Monitor Disk Encryption
  • Defender - Monitor Endpoint Protection
  • Defender - Monitor External Accounts with Write Permissions
  • Defender - Monitor IP Forwarding
  • Defender - Monitor JIT Network Access
  • Defender - Monitor Next Generation Firewall
  • Defender - Monitor NSG Enabled
  • Defender - Monitor SQL Auditing
  • Defender - Monitor SQL Encryption
  • Defender - Monitor System Updates
  • Defender - Monitor Total Number of Subscription Owners
  • Defender - Monitor VM Vulnerability
  • Defender - Security Configuration Monitoring
  • Defender - Security Contact Additional Email
  • Defender - Security Contact Enabled for Subscription Owner
  • Defender - Security Contacts Enabled
  • Defender - Standard Pricing Enabled
  • Defender - Web Application Firewall Monitoring Enabled
  • Ensure that legacy authentication methods policies are not supported',
  • Event Grid - Event Grid Domain Diagnostic Logs
  • Event Grid - Event Grid Domain Local Authentication Disabled
  • Event Grid - Event Grid Domain Managed Identity
  • Event Grid - Event Grid Domain Minimum TLS Version
  • Event Grid - Event Grid Domain Public Access
  • Event Hubs - Event Hub Namespace Local Auth Disabled
  • Event Hubs - Event Hub Public Access
  • Event Hubs - Event Hubs Minimum TLS Version
  • Event Hubs - Event Hubs Namespace Auto-Inflate Enabled
  • Event Hubs - Event Hubs Namespace CMK Encrypted
  • Event Hubs - Event Hubs Namespace Diagnostic Logs
  • Event Hubs - Event Hubs Namespace Has Tags
  • Event Hubs - Event Hubs Namespace Managed Identity
  • File Service - File Service All Access ACL
  • Front Door - Front Door Access Logs Enabled
  • Front Door - Front Door Azure Managed DNS
  • Front Door - Front Door HTTPS only
  • Front Door - Front Door Managed Identity Enabled
  • Front Door - Front Door Minimum TLS Version
  • Front Door - Front Door Request Body Inspection
  • Front Door - Front Door Security Logging Enabled
  • Front Door - Front Door WAF Bot Protection
  • Front Door - Front Door WAF Detection Mode
  • Front Door - Front Door Waf Enabled
  • Front Door - Front Door WAF Latest Default Rule Set
  • Front Door - Front Door WAF Rate limit
  • Key Vaults - Allowed Certificates Key Types
  • Key Vaults - App Tier CMK In Use
  • Key Vaults - Database Tier CMK In Use
  • Key vaults - Enable Audit Event Logging for Azure Key Vaults
  • Key Vaults - Enable Certificate Transparency
  • Key Vaults - Key Expiration Enabled
  • Key Vaults - Key Vault Has Tags
  • Key Vaults - Key Vault In Use
  • Key Vaults - Key Vault Key Expiry
  • Key Vaults - Key Vault Log Analytics Enabled
  • Key Vaults - Key Vault Recovery Enabled
  • Key Vaults - Key Vault Restrict Default Network Access
  • Key Vaults - Key Vault Secret Expiry
  • Key Vaults - Key Vaults Private Endpoint
  • Key Vaults - KeyVault Trusted Services Enabled
  • Key Vaults - Manage Key Access and Permissions
  • Key Vaults - Non RBAC Key Expiration Enabled
  • Key Vaults - Non RBAC Secret Expiration Enabled
  • Key Vaults - RBAC Key Expiration Enabled
  • Key Vaults - RBAC Secret Expiration Enabled
  • Key Vaults - RSA Certificate Allowed Key Size
  • Key Vaults - Secret Expiration Enabled
  • Key Vaults - SSL Certificate Auto Renewal
  • Kubernetes Service - AKS API Server Authorized IP Ranges
  • Kubernetes Service - AKS Cluster Diagnostic Logs
  • Kubernetes Service - AKS Cluster Has Tags
  • Kubernetes Service - AKS Cluster Host Based Encryption
  • Kubernetes Service - AKS Cluster Managed Identity Enabled
  • Kubernetes Service - AKS Cluster Private
  • Kubernetes Service - AKS Encryption At Rest with BYOK
  • Kubernetes Service - Kubernetes Latest Version
  • Kubernetes Service - Kubernetes RBAC Enabled
  • Kubernetes Service - Kubernetes Version For Agent Pools
  • Load Balancer - Application Gateway Has Tags
  • Load Balancer - LB HTTPS Only
  • Load Balancer - LB No Instances
  • Load Balancer - Load Balancer Has Tags
  • Load Balancer - Load Balancer Log Analytics Enabled
  • Load Balancer - Load Balancer Public IP
  • Log Alerts - Key Vault Logging Enabled
  • Log Alerts - Load Balancers Logging Enabled
  • Log Alerts - MySQL Flexible Server Logging Enabled
  • Log Alerts - Network Security Groups Logging Enabled
  • Log Alerts - Network Security Groups Rule Logging Enabled
  • Log Alerts - Policy Assignment Alerts Enabled
  • Log Alerts - PostgreSQL Flexible Server Logging Enabled
  • Log Alerts - PostgreSQL Server Database Logging Enabled
  • Log Alerts - Public Ip Address Logging Enabled
  • Log Alerts - Security Policy Alerts Enabled
  • Log Alerts - Security Solution Logging
  • Log Alerts - SQL Server Database Logging Enabled
  • Log Alerts - SQL Server Database Rename Alert Enabled
  • Log Alerts - SQL Server Firewall Rule Alerts Monitor
  • Log Alerts - Storage Account Logging Enabled
  • Log Alerts - Virtual Machine Deallocate Alert Enabled
  • Log Alerts - Virtual Machine Logging Enabled
  • Log Alerts - Virtual Machine Power Off Alert Enabled
  • Log Alerts - Virtual Network Alerts Monitor
  • Media Services - Media Services Classic API Disabled
  • Media Services - Media Services Content Key Policy
  • Media Services - Media Services Diagnostic Logs Enabled
  • Media Services - Media Services Managed Identity Enabled
  • Media Services - Media Services Public Access Disabled
  • Media Services - Media Services Storage Account Managed Identity
  • Monitor - Azure Monitor Logs Enabled
  • Monitor - Diagnostics Captured Categories
  • Monitor - Diagnostics Settings Enabled
  • Monitor - Log Analytics Public Workspace
  • Monitor - Log Profile Archive Data
  • Monitor - Log Profile Retention Policy
  • MySQL Server - Enforce MySQL SSL Connection
  • MySQL Server - Machine Learning Workspace CMK Encrypted
  • MySQL Server - MySQL Flexible Server Data CMK Encrypted
  • MySQL Server - MySQL Flexible Server Diagnostic Logs
  • MySQL Server - MySQL Flexible Server Has Tags
  • MySQL Server - MySQL Flexible Server Managed Identity
  • MySQL Server - MySQL Flexible Server Minimum TLS Version
  • MySQL Server - MySQL Flexible Server Public Access
  • MySQL Server - MySQL Flexible Server Version
  • MySQL Server - MySQL Server Has Tags
  • Network Security Groups - Check for Unrestricted ICMP Access
  • Network Security Groups - Default Security Group
  • Network Security Groups - Excessive Security Groups
  • Network Security Groups - NSG Flow Logs Enabled
  • Network Security Groups - NSG Flow Logs Retention Period
  • Network Security Groups - NSG Log Analytics Enabled
  • Network Security Groups - Open All Ports
  • Network Security Groups - Open Cassandra Client
  • Network Security Groups - Open Cassandra Internode
  • Network Security Groups - Open Cassandra Monitoring
  • Network Security Groups - Open Cassandra Thrift
  • Network Security Groups - Open CIFS
  • Network Security Groups - Open DNS
  • Network Security Groups - Open Docker
  • Network Security Groups - Open Elasticsearch
  • Network Security Groups - Open FTP
  • Network Security Groups - Open Hadoop HDFS NameNode Metadata Service
  • Network Security Groups - Open Hadoop HDFS NameNode WebUI
  • Network Security Groups - Open HTTP
  • Network Security Groups - Open HTTPS
  • Network Security Groups - Open Internal Web
  • Network Security Groups - Open Kibana
  • Network Security Groups - Open LDAP
  • Network Security Groups - Open LDAPS
  • Network Security Groups - Open Memcached
  • Network Security Groups - Open MongoDB
  • Network Security Groups - Open MySQL
  • Network Security Groups - Open NetBIOS
  • Network Security Groups - Open Oracle
  • Network Security Groups - Open Oracle Auto Data Warehouse
  • Network Security Groups - Open PostgreSQL
  • Network Security Groups - Open RDP
  • Network Security Groups - Open Redis
  • Network Security Groups - Open RPC
  • Network Security Groups - Open Salt
  • Network Security Groups - Open SMBoTCP
  • Network Security Groups - Open SMTP
  • Network Security Groups - Open SNMP
  • Network Security Groups - Open SQLServer
  • Network Security Groups - Open SSH
  • Network Security Groups - Open Telnet
  • Network Security Groups - Open UDP Ports
  • Network Security Groups - Open VNC Client
  • Network Security Groups - Open VNC Server
  • Network Security Groups - Review Network Interfaces with IP Forwarding Enabled
  • Network Watcher - Network Watcher Enabled
  • PostgreSQL Server - Azure Active Directory Admin Configured
  • PostgreSQL Server - Connection Throttling Enabled
  • PostgreSQL Server - Enable Geo-Redundant Backups
  • PostgreSQL Server - Enforce PostgreSQL SSL Connection
  • PostgreSQL Server - Log Checkpoints Enabled
  • PostgreSQL Server - Log Connections Enabled
  • PostgreSQL Server - Log Disconnections Enabled
  • PostgreSQL Server - Log Duration Enabled
  • PostgreSQL Server - Log Retention Period
  • PostgreSQL Server - PostgreSQL Diagnostic Logging Enabled
  • PostgreSQL Server - PostgreSQL Encryption At Rest with BYOK
  • PostgreSQL Server - PostgreSQL Flexible Server Advanced Threat Protection
  • PostgreSQL Server - PostgreSQL Flexible Server Connection Throttling Enabled
  • PostgreSQL Server - PostgreSQL Flexible Server Diagnostic Logging
  • PostgreSQL Server - PostgreSQL Flexible Server Log Disconnections Enabled
  • PostgreSQL Server - PostgreSQL FLexible Server Log Duration Enabled
  • PostgreSQL Server - PostgreSQL Flexible Server SCRAM Enabled
  • PostgreSQL Server - PostgreSQL Flexible Server Services Access Disabled
  • PostgreSQL Server - PostgreSQL Flexible Server Version
  • PostgreSQL Server - PostgreSQL Flexible Server VNet Integrated
  • PostgreSQL Server - PostgreSQL Infrastructure Double Encryption
  • PostgreSQL Server - PostgreSQL Minimum TLS Version
  • PostgreSQL Server - PostgreSQL Server Has Tags
  • PostgreSQL Server - PostgreSQL Server Private Endpoints Configured
  • PostgreSQL Server - PostgreSQL Server Services Access Disabled
  • PostgreSQL Server - Private DNS Zone Integrated
  • PostgreSQL Server - Storage Auto-Growth Enabled
  • Queue Service - Queue Service All Access ACL
  • Recovery Service Vault - Recovery Services Vault BYOK Encrypted
  • Recovery Service Vault - Recovery Services Vault Logging Enabled
  • Redis Cache - Minimum TLS Version
  • Redis Cache - Redis Cache Diagnostic Logs Enabled
  • Redis Cache - Redis Cache Has Tags
  • Redis Cache - Redis Cache Managed Identity Enabled
  • Redis Cache - Redis Cache Private Endpoint
  • Redis Cache - Redis Cache Scheduled Updates
  • Redis Cache - Redis Cache VNet Integrated
  • Redis Cache - Redis Version
  • Redis Cache - SSL Access Only Enabled
  • Resource Group - Resource Group Has Tags
  • Resources - Management Lock Enabled
  • Resources - Monitor Resource SKU
  • Resources - Resources Usage Limits
  • Security Center - Security Contact Additional Email
  • Security Center - Security Contact Enabled for Subscription Owner
  • Service Bus - Namespace Encryption At Rest with CMK
  • Service Bus - Namespace Infrastructure Encryption Enabled
  • Service Bus - Namespace Local Authentication Disabled
  • Service Bus - Namespace Logging Enabled
  • Service Bus - Namespace Managed Identity
  • Service Bus - Namespace Minimum TLS Version
  • Service Bus - Namespace Public Access
  • Service Bus - Service Bus Namespace Has Tags
  • SQL Databases - Database Auditing Enabled
  • SQL Databases - Database Ledger Enabled
  • SQL Databases - Database Private Link Enabled
  • SQL Databases - Database Secure Enclaves Encryption Enabled
  • SQL Databases - DB Restorable
  • SQL Databases - Ledger Automatic Digest Storage
  • SQL Databases - Point in Time Restore Backup Retention
  • SQL Databases - SQL Database Data Discovery and Classification
  • SQL Databases - SQL Database Diagnostic Logging Enabled
  • SQL Databases - SQL Databases Data Masking Enabled
  • SQL Databases - SQL DB Multiple AZ
  • SQL Databases - Transparent Data Encryption Enabled
  • SQL Server - Advanced Data Security Enabled
  • SQL Server - Audit Action Groups Enabled
  • SQL Server - Audit Retention Policy
  • SQL Server - Auditing Storage Authentication Type
  • SQL Server - Auto-Failover Groups Enabled
  • SQL Server - Azure Active Directory Admin Enabled
  • SQL Server - Email Account Admins Enabled
  • SQL Server - Microsoft Support Operations Auditing Enabled
  • SQL Server - Send Alerts Enabled
  • SQL Server - Server Auditing Enabled
  • SQL Server - Server Outbound Networking Restricted
  • SQL Server - Server Send Email to Admin and Owners
  • SQL Server - SQL Server Advanced Threat Protection Enabled
  • SQL Server - SQL Server Automatic Tuning Enabled
  • SQL Server - SQL Server Connection Policy
  • SQL Server - SQL Server Has Tags
  • SQL Server - SQL Server Managed Identity Enabled
  • SQL Server - SQL Server Minimum TLS Version
  • SQL Server - SQL Server Private Endpoints Configured
  • SQL Server - SQL Server Public Access
  • SQL Server - SQL Server Recurring Scans Enabled
  • SQL Server - SQL Server Send Scan Reports
  • SQL Server - SQL Server Services Access Disabled
  • SQL Server - SQL Server VNet Rules Integrated
  • SQL Server - TDE Protector Encrypted
  • SQL Server - Vulnerability Assessment (VA) is enabled on a SQL server
  • Storage Accounts - Blob Service Encryption
  • Storage Accounts - Blob Storage Lifecycle Management Enabled
  • Storage Accounts - Blobs Soft Deletion Enabled
  • Storage Accounts - Disable Shared Key authorization
  • Storage Accounts - Enable Secure Transfer in Storage Accounts
  • Storage Accounts - Ensure that Logging for Azure Storage Queue Service inabled',
  • Storage Accounts - Expire Shared Access Signature Tokens
  • Storage Accounts - File Service Encryption
  • Storage Accounts - Infrastructure Encryption Enabled
  • Storage Accounts - Limit Storage Account Access by IP Address
  • Storage Accounts - Log Container Public Access
  • Storage Accounts - Log Storage Encryption
  • Storage Accounts - Logging for Azure Storage Blob Service Enabled
  • Storage Accounts - Logging for Azure Storage Table Service Enabled
  • Storage Accounts - Network Access Default Action
  • Storage Accounts - Publicly Accessible Web Containers
  • Storage Accounts - Regenerate Storage Account Access Keys Periodically
  • Storage Accounts - Storage Account Blob Service Logging Enabled
  • Storage Accounts - Storage Account Has Tags
  • Storage Accounts - Storage Account Private Endpoints
  • Storage Accounts - Storage Account Queue Service Logging Enabled
  • Storage Accounts - Storage Account Table Service Logging Enabled
  • Storage Accounts - Storage Accounts AAD Enabled
  • Storage Accounts - Storage Accounts Encryption
  • Storage Accounts - Storage Accounts HTTPS
  • Storage Accounts - Storage Accounts Minimum TLS Version
  • Storage Accounts - Storage Accounts with Static Website Configuration
  • Storage Accounts - Sufficient Soft Deleted Data Retention Period
  • Storage Accounts - Trusted MS Access Enabled
  • Subscription - Azure Subscription Has Tags
  • Table Service - Table Service All Access ACL
  • Virtual Machine Scale Set - Automatic Instance Repairs Enabled
  • Virtual Machine Scale Set - Automatic OS Upgrades Enabled
  • Virtual Machine Scale Set - Health Monitoring Extension HTTPS Enabled
  • Virtual Machine Scale Set - No Empty Scale Sets
  • Virtual Machine Scale Set - Scale Set Multi Az
  • Virtual Machine Scale Set - Scale Sets AD Authentication Enabled
  • Virtual Machine Scale Set - Scale Sets Autoscale Enabled
  • Virtual Machine Scale Set - Scale Sets Autoscale Notifications Enabled
  • Virtual Machine Scale Set - Scale Sets Boot Diagnostics Enabled
  • Virtual Machine Scale Set - Scale Sets Health Monitoring Enabled
  • Virtual Machine Scale Set - Scale Sets Secure Boot Enabled
  • Virtual Machine Scale Set - Scale Sets Trusted Launch Enabled
  • Virtual Machine Scale Set - Scale Sets vTPM Enabled
  • Virtual Machine Scale Set - VM Scale Set Approved Extensions
  • Virtual Machine Scale Set - VM Scale Set Has Tags
  • Virtual Machine Scale Set - VM Scale Set Managed Identity Enabled
  • Virtual Machine Scale Set - VMSS Windows AntiMalware Extension
  • Virtual Machines - Accelerated Networking Enabled
  • Virtual Machines - Associated Load Balancers
  • Virtual Machines - Classic Instances
  • Virtual Machines - Compute Gallery RBAC Sharing
  • Virtual Machines - Disk Volumes BYOK Encryption Enabled
  • Virtual Machines - Guest Level Diagnostics Enabled
  • Virtual Machines - Managed VM Machine Image
  • Virtual Machines - Network Exposure
  • Virtual Machines - No Unattached Disk Volumes
  • Virtual Machines - Old VM Disk Snapshots
  • Virtual Machines - Password Authentication Disabled
  • Virtual Machines - Premium SSD Disabled
  • Virtual Machines - Server-Side Encryption for Non-Boot Disk using CMK
  • Virtual Machines - Server-Side Encryption for unattached disk is using CMK
  • Virtual Machines - Server-Side Encryption for VM Boot Disk using CMK
  • Virtual Machines - Snapshot Has Tags
  • Virtual Machines - Unattached Disk Volumes with Default Encryption
  • Virtual Machines - Virtual Machine Boot Diagnostics Enabled
  • Virtual Machines - Virtual Machine Has Tags
  • Virtual Machines - Virtual Machine Performance Diagnostics Enabled
  • Virtual Machines - VM Active Directory (AD) Authentication Enabled
  • Virtual Machines - VM Agent Enabled
  • Virtual Machines - VM Approved Extensions
  • Virtual Machines - VM Auto Update Enabled
  • Virtual Machines - VM Auto-Shutdown Enabled
  • Virtual Machines - VM Availability Set Enabled
  • Virtual Machines - VM Availability Set Limit
  • Virtual Machines - VM Backups Enabled
  • Virtual Machines - VM Daily Backup Retention Period
  • Virtual Machines - VM Data Disk Encryption
  • Virtual Machines - VM Desired SKU Size
  • Virtual Machines - VM Disk CMK Rotation
  • Virtual Machines - VM Disk Double Encryption
  • Virtual Machines - VM Disk Has Tags
  • Virtual Machines - VM Disk Public Access
  • Virtual Machines - VM Disk Snapshot BYOK Encryption Enabled
  • Virtual Machines - VM Disk Snapshot Public Access Disabled
  • Virtual Machines - VM Disks Deletion Config
  • Virtual Machines - VM Encryption At Host
  • Virtual Machines - VM Endpoint Protection
  • Virtual Machines - VM Image Has Tags
  • Virtual Machines - VM Instance Limit
  • Virtual Machines - VM Instant Restore Backup Retention Period
  • Virtual Machines - VM Just-In-Time Access for Virtual Machines Enabled
  • Virtual Machines - VM Managed Disks Enabled
  • Virtual Machines - VM OS Disk Encryption
  • Virtual Machines - VM Scale Set Has Tags
  • Virtual Machines - VM Secure Boot Enabled
  • Virtual Machines - VM Security Type
  • Virtual Machines - VM System Managed Identity Enabled
  • Virtual Machines - VM System-Assigned Identity Enabled
  • Virtual Machines - VM vTPM Enabled
  • Virtual Machines - VM Windows AntiMalware Extension
  • Virtual Networks - DDoS Standard Protection Enabled
  • Virtual Networks - Managed NAT Gateway In Use
  • Virtual Networks - Multiple Subnets
  • Virtual Networks - No Network Gateways Connections
  • Virtual Networks - No Network Gateways In Use
  • Virtual Networks - Public IP Address DDos Protection
  • Virtual Networks - Route Table Has Tags
  • Virtual Networks - Virtual Network Has Tags
  • Virtual Networks - Virtual Network Peering
  • Virtual Networks - Virtual Networks Logging Enabled
  • Virtual Networks - VNET Flow Logs Enabled
  • VM Instance Termination Notifications for Virtual Machine Scale Sets Enabled',