Microsoft Managed Control 1012 - Account Management Microsoft Managed Control 1011 - Account Management Microsoft Managed Control 1010 - Account Management Microsoft Managed Control 1009 - Account Management Microsoft Managed Control 1008 - Account Management Microsoft Managed Control 1007 - Account Management Microsoft Managed Control 1006 - Account Management Microsoft Managed Control 1005 - Account Management Microsoft Managed Control 1004 - Account Management Microsoft Managed Control 1003 - Account Management Microsoft Managed Control 1002 - Account Management Managed identity should be used in your Web App Managed identity should be used in your Function App Use a managed identity for enhanced authentication security Managed identity should be used in your API App Deprecated accounts are accounts that have been blocked from signing in.Įxternal accounts with owner permissions should be removed from your subscriptionĮxternal accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access.Įxternal accounts with read permissions should be removed from your subscriptionĮxternal accounts with read privileges should be removed from your subscription in order to prevent unmonitored access.Įxternal accounts with write permissions should be removed from your subscriptionĮxternal accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. Deprecated accounts are accounts that have been blocked from signing in.ĭeprecated accounts with owner permissions should be removed from your subscriptionĭeprecated accounts with owner permissions should be removed from your subscription. ĭeprecated accounts should be removed from your subscriptionĭeprecated accounts should be removed from your subscriptions. Using custom roles is treated as an exception and requires a rigorous review and threat modelingĬognitive Services accounts should have local authentication methods disabledĭisabling local authentication methods improves security by ensuring that Cognitive Services accounts require Azure Active Directory identities exclusively for authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft servicesĪudit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.Īn Azure Active Directory administrator should be provisioned for SQL serversĪudit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. 4 AC-2 Name (Azure portal)Ī maximum of 3 owners should be designated for your subscription Microsoft Managed Control 1001 - Access Control Policy And Procedures Microsoft implements this Access Control control Microsoft Managed Control 1000 - Access Control Policy And Procedures Access Control Access Control Policy and Procedures The associations between compliance domains, controls, and Azure Policyĭefinitions for this compliance standard may change over time. Therefore, compliance in Azure Policy is only a partial view of your InĪddition, the compliance standard includes controls that aren't addressed by any Azure Policyĭefinitions at this time. Themselves this doesn't ensure you're fully compliant with all requirements of a control. As such, Compliant in Azure Policy refers only to the policy definitions These policies may help you assess compliance with theĬontrol however, there often is not a one-to-one or complete match between a control and one or Each control below is associated with one or more Azure Policy definitions.