| 1.1.3 Ensure that 'Multi-Factor Auth Status' is 'Enabled' for all Non-Privileged Users | IDENTIFICATION AND AUTHENTICATION |
| 1.11 Ensure 'User consent for applications' Is Set To 'Allow for Verified Publishers' | ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION |
| 1.15 Ensure that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, IDENTIFICATION AND AUTHENTICATION |
| 1.17 Ensure that 'Restrict user ability to access groups features in the Access Pane' is Set to 'Yes' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.18 Ensure that 'Users can create security groups in Azure portals, API or PowerShell' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.19 Ensure that 'Owners can manage group membership requests in the Access Panel' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.20 Ensure that 'Users can create Microsoft 365 groups in Azure portals, API or PowerShell' is set to 'No' | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 1.23 Ensure a Custom Role is Assigned Permissions for Administering Resource Locks | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, MEDIA PROTECTION |
| 1.24 Ensure That 'Subscription leaving Microsoft Entra ID directory' and 'Subscription entering Microsoft Entra ID directory' Is Set To 'Permit No One' | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.1.1 Ensure That Microsoft Defender for Servers Is Set to 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.2 Ensure That Microsoft Defender for App Services Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.3 Ensure That Microsoft Defender for (Managed Instance) Azure SQL Databases Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.4 Ensure That Microsoft Defender for SQL Servers on Machines Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.5 Ensure That Microsoft Defender for Open-Source Relational Databases Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.6 Ensure That Microsoft Defender for Azure Cosmos DB Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.7 Ensure That Microsoft Defender for Storage Is Set To 'On' | RISK ASSESSMENT |
| 2.1.8 Ensure That Microsoft Defender for Containers Is Set To 'On' | RISK ASSESSMENT |
| 2.1.9 Ensure That Microsoft Defender for Key Vault Is Set To 'On' | RISK ASSESSMENT |
| 2.1.10 [LEGACY] Ensure That Microsoft Defender for DNS Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.11 Ensure That Microsoft Defender for Resource Manager Is Set To 'On' | ACCESS CONTROL, RISK ASSESSMENT |
| 2.1.15 Ensure that Auto provisioning of 'Vulnerability assessment for machines' is Set to 'On' | RISK ASSESSMENT |
| 2.1.16 Ensure that Auto provisioning of 'Microsoft Defender for Containers components' is Set to 'On' | RISK ASSESSMENT |
| 2.1.20 Ensure that Microsoft Defender for Cloud Apps integration with Microsoft Defender for Cloud is Selected | RISK ASSESSMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1.21 Ensure that Microsoft Defender for Endpoint integration with Microsoft Defender for Cloud is selected | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 2.1.22 Ensure that Microsoft Defender External Attack Surface Monitoring (EASM) is enabled | RISK ASSESSMENT |
| 2.2.1 Ensure That Microsoft Defender for IoT Hub Is Set To 'On' | RISK ASSESSMENT, SYSTEM AND INFORMATION INTEGRITY |
| 3.2 Ensure that 'Enable Infrastructure Encryption' for Each Storage Account in Azure Storage is Set to 'enabled' | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.5 Ensure Storage Logging is Enabled for Queue Service for 'Read', 'Write', and 'Delete' requests | AUDIT AND ACCOUNTABILITY |
| 3.9 Ensure 'Allow Azure services on the trusted services list to access this storage account' is Enabled for Storage Account Access | ACCESS CONTROL, MEDIA PROTECTION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 3.12 Ensure Storage for Critical Data are Encrypted with Customer Managed Keys (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.13 Ensure Storage logging is Enabled for Blob Service for 'Read', 'Write', and 'Delete' requests | AUDIT AND ACCOUNTABILITY |
| 3.14 Ensure Storage Logging is Enabled for Table Service for 'Read', 'Write', and 'Delete' Requests | AUDIT AND ACCOUNTABILITY |
| 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.4.3 Ensure server parameter 'audit_log_enabled' is set to 'ON' for MySQL Database Server | AUDIT AND ACCOUNTABILITY |
| 4.4.4 Ensure server parameter 'audit_log_events' has 'CONNECTION' set for MySQL Database Server | AUDIT AND ACCOUNTABILITY |
| 4.5.1 Ensure That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.5.2 Ensure That Private Endpoints Are Used Where Possible | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.3 Ensure the storage account containing the container with activity logs is encrypted with Customer Managed Key (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.1.5 Ensure that Network Security Group Flow logs are captured and sent to Log Analytics | SYSTEM AND INFORMATION INTEGRITY |
| 5.1.6 Ensure that logging for Azure AppService 'HTTP logs' is enabled | AUDIT AND ACCOUNTABILITY |
| 5.3.1 Ensure Application Insights are Configured | AUDIT AND ACCOUNTABILITY |
| 5.5 Ensure that SKU Basic/Consumption is not used on artifacts that need to be monitored (Particularly for Production Workloads) | SYSTEM AND SERVICES ACQUISITION |
| 6.5 Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | AUDIT AND ACCOUNTABILITY |
| 6.6 Ensure that Network Watcher is 'Enabled' | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.1 Ensure an Azure Bastion Host Exists | SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure that 'OS and Data' disks are encrypted with Customer Managed Key (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure that 'Unattached disks' are encrypted with 'Customer Managed Key' (CMK) | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.6 Ensure that Endpoint Protection for all Virtual Machines is installed | SYSTEM AND INFORMATION INTEGRITY |
| 7.7 [Legacy] Ensure that VHDs are Encrypted | IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.8 Ensure only MFA enabled identities can access privileged Virtual Machine | IDENTIFICATION AND AUTHENTICATION |
