diff --git a/src/azure-cli/azure/cli/command_modules/resource/custom.py b/src/azure-cli/azure/cli/command_modules/resource/custom.py index 9e14df187b7..50b40dd4cc8 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/custom.py +++ b/src/azure-cli/azure/cli/command_modules/resource/custom.py @@ -15,6 +15,7 @@ import ssl import sys import uuid +import base64 from six.moves.urllib.request import urlopen # pylint: disable=import-error from six.moves.urllib.parse import urlparse # pylint: disable=import-error @@ -1356,7 +1357,10 @@ def create_policy_assignment(cmd, policy=None, policy_set_definition=None, identity = _build_identities_info(cmd, assign_identity) assignment.identity = identity - createdAssignment = policy_client.policy_assignments.create(scope, name or uuid.uuid4(), assignment) + if name is None: + name = (base64.urlsafe_b64encode(uuid.uuid4().bytes).decode())[:-2] + + createdAssignment = policy_client.policy_assignments.create(scope, name, assignment) # Create the identity's role assignment if requested if assign_identity is not None and identity_scope: diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_create_policy_assignment_random.yaml b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_create_policy_assignment_random.yaml new file mode 100644 index 00000000000..344ed44611a --- /dev/null +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/recordings/test_resource_create_policy_assignment_random.yaml @@ -0,0 +1,7404 @@ +interactions: +- request: + body: '{"properties": {"displayName": "test_policy000003", "description": "desc_for_test_policy_123", + "policyRule": {"if": {"not": {"field": "location", "in": "[parameters(''allowedLocations'')]"}}, + "then": {"effect": "deny"}}, "parameters": {"allowedLocations": {"type": "array", + "metadata": {"displayName": "Allowed locations", "description": "The list of + locations that can be specified when deploying resources"}}}}}' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition create + Connection: + - keep-alive + Content-Length: + - '414' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - -n --rules --params --display-name --description + User-Agent: + - python/3.8.1 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.1.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2020-02-26T03:33:14.4552682Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations","description":"The list of locations that can be specified when + deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' + headers: + cache-control: + - no-cache + content-length: + - '804' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 26 Feb 2020 03:33:14 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy assignment create + Connection: + - keep-alive + ParameterSetName: + - --policy --display-name -g --params + User-Agent: + - python/3.8.1 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.1.0 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2020-02-26T03:33:14.4552682Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations","description":"The list of locations that can be specified when + deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' + headers: + cache-control: + - no-cache + content-length: + - '804' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 26 Feb 2020 03:33:15 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: 'b''{"properties": {"displayName": "test_assignment000004", "policyDefinitionId": + "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002", + "scope": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_create_policy_assignment_random000001", + "parameters": {"allowedLocations": {"value": ["australiaeast", "eastus", "japaneast", + "westus"]}}, "enforcementMode": "Default"}, "sku": {"name": "A0", "tier": "Free"}}''' + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy assignment create + Connection: + - keep-alive + Content-Length: + - '538' + Content-Type: + - application/json; charset=utf-8 + ParameterSetName: + - --policy --display-name -g --params + User-Agent: + - python/3.8.1 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.1.0 + accept-language: + - en-US + method: PUT + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_create_policy_assignment_random000001/providers/Microsoft.Authorization/policyAssignments/F-r88caKSDa-sXi54hKHQA?api-version=2019-09-01 + response: + body: + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000004","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_create_policy_assignment_random000001","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2020-02-26T03:33:16.1809636Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_create_policy_assignment_random000001/providers/Microsoft.Authorization/policyAssignments/F-r88caKSDa-sXi54hKHQA","type":"Microsoft.Authorization/policyAssignments","name":"F-r88caKSDa-sXi54hKHQA"}' + headers: + cache-control: + - no-cache + content-length: + - '967' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 26 Feb 2020 03:33:15 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-writes: + - '1199' + status: + code: 201 + message: Created +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy assignment delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n -g + User-Agent: + - python/3.8.1 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.1.0 + accept-language: + - en-US + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_create_policy_assignment_random000001/providers/Microsoft.Authorization/policyAssignments/F-r88caKSDa-sXi54hKHQA?api-version=2019-09-01 + response: + body: + string: '{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"test_assignment000004","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","scope":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_create_policy_assignment_random000001","parameters":{"allowedLocations":{"value":["australiaeast","eastus","japaneast","westus"]}},"metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2020-02-26T03:33:16.1809636Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_resource_create_policy_assignment_random000001/providers/Microsoft.Authorization/policyAssignments/F-r88caKSDa-sXi54hKHQA","type":"Microsoft.Authorization/policyAssignments","name":"F-r88caKSDa-sXi54hKHQA"}' + headers: + cache-control: + - no-cache + content-length: + - '967' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 26 Feb 2020 03:33:16 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy assignment list + Connection: + - keep-alive + ParameterSetName: + - --disable-scope-strict-match + User-Agent: + - python/3.8.1 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.1.0 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments?api-version=2019-09-01 + response: + body: + string: '{"value":[{"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"asdadssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssssss","policyDefinitionId":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","notScopes":[],"parameters":{"allowedLocations":{"value":["australiacentral2","australiasoutheast","canadacentral","centralus","eastus","francecentral","francesouth"]}},"metadata":{"assignedBy":"zhoxing@microsoft.com + ","parameterScopes":{"allowedLocations":"/subscriptions/00000000-0000-0000-0000-000000000000"},"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2019-12-25T06:19:44.7812804Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/8395d67bfbf84a77a0b0f13c","type":"Microsoft.Authorization/policyAssignments","name":"8395d67bfbf84a77a0b0f13c"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC + DataProtection (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","description":"This + policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security + Center","createdBy":"2f8a138f-0955-44e1-9124-c386dfaecad4","createdOn":"2019-11-25T02:19:57.9086573Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/DataProtectionSecurityCenter","type":"Microsoft.Authorization/policyAssignments","name":"DataProtectionSecurityCenter"},{"sku":{"name":"A1","tier":"Standard"},"properties":{"displayName":"ASC + Default (subscription: 0b1f6471-1bf0-4dda-aec3-cb9272f09590)","policyDefinitionId":"/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8","scope":"/subscriptions/00000000-0000-0000-0000-000000000000","parameters":{"diagnosticsLogsInServiceFabricMonitoringEffect":{"value":"AuditIfNotExists"},"systemUpdatesMonitoringEffect":{"value":"AuditIfNotExists"},"systemConfigurationsMonitoringEffect":{"value":"AuditIfNotExists"},"endpointProtectionMonitoringEffect":{"value":"AuditIfNotExists"},"diskEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"networkSecurityGroupsMonitoringEffect":{"value":"AuditIfNotExists"},"webApplicationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"sqlAuditingMonitoringEffect":{"value":"AuditIfNotExists"},"sqlEncryptionMonitoringEffect":{"value":"AuditIfNotExists"},"nextGenerationFirewallMonitoringEffect":{"value":"AuditIfNotExists"},"vulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"storageEncryptionMonitoringEffect":{"value":"Audit"},"jitNetworkAccessMonitoringEffect":{"value":"AuditIfNotExists"},"adaptiveApplicationControlsMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateLessThanOwnersMonitoringEffect":{"value":"AuditIfNotExists"},"identityDesignateMoreThanOneOwnerMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityEnableMFAForReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveDeprecatedAccountMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithWritePermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"identityRemoveExternalAccountWithReadPermissionsMonitoringEffect":{"value":"AuditIfNotExists"},"secureTransferToStorageAccountMonitoringEffect":{"value":"Audit"},"aadAuthenticationInSqlServerMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInRedisCacheMonitoringEffect":{"value":"Audit"},"clusterProtectionLevelInServiceFabricMonitoringEffect":{"value":"Audit"},"aadAuthenticationInServiceFabricMonitoringEffect":{"value":"Audit"},"diagnosticsLogsInServiceBusMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInDataLakeStoreMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInEventHubMonitoringEffect":{"value":"AuditIfNotExists"},"metricAlertsInBatchAccountMonitoringEffect":{"value":"AuditIfNotExists"},"namespaceAuthorizationRulesInServiceBusMonitoringEffect":{"value":"Audit"},"disableUnrestrictedNetworkToStorageAccountMonitoringEffect":{"value":"Audit"},"classicComputeVMsMonitoringEffect":{"value":"Audit"},"classicStorageAccountsMonitoringEffect":{"value":"Audit"},"sqlDbVulnerabilityAssesmentMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInKeyVaultMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInStreamAnalyticsMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInSearchServiceMonitoringEffect":{"value":"AuditIfNotExists"},"diagnosticsLogsInLogicAppsMonitoringEffect":{"value":"AuditIfNotExists"}},"description":"This + policy assignment was automatically created by Azure Security Center","metadata":{"assignedBy":"Security + Center"},"enforcementMode":"Default"},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyAssignments/SecurityCenterBuiltIn","type":"Microsoft.Authorization/policyAssignments","name":"SecurityCenterBuiltIn"}]}' + headers: + cache-control: + - no-cache + content-length: + - '5907' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 26 Feb 2020 03:33:17 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition delete + Connection: + - keep-alive + Content-Length: + - '0' + ParameterSetName: + - -n + User-Agent: + - python/3.8.1 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.1.0 + accept-language: + - en-US + method: DELETE + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002?api-version=2019-09-01 + response: + body: + string: '{"properties":{"displayName":"test_policy000003","policyType":"Custom","mode":"Indexed","description":"desc_for_test_policy_123","metadata":{"createdBy":"9ac534f1-d577-4034-a32d-48de400dacbf","createdOn":"2020-02-26T03:33:14.4552682Z","updatedBy":null,"updatedOn":null},"parameters":{"allowedLocations":{"type":"Array","metadata":{"displayName":"Allowed + locations","description":"The list of locations that can be specified when + deploying resources"}}},"policyRule":{"if":{"not":{"field":"location","in":"[parameters(''allowedLocations'')]"}},"then":{"effect":"deny"}}},"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy000002","type":"Microsoft.Authorization/policyDefinitions","name":"azure-cli-test-policy000002"}' + headers: + cache-control: + - no-cache + content-length: + - '804' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 26 Feb 2020 03:33:18 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + x-ms-ratelimit-remaining-subscription-deletes: + - '14999' + status: + code: 200 + message: OK +- request: + body: null + headers: + Accept: + - application/json + Accept-Encoding: + - gzip, deflate + CommandName: + - policy definition list + Connection: + - keep-alive + User-Agent: + - python/3.8.1 (Windows-10-10.0.17763-SP0) msrest/0.6.11 msrest_azure/0.6.2 + azure-mgmt-resource/8.0.1 Azure-SDK-For-Python AZURECLI/2.1.0 + accept-language: + - en-US + method: GET + uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions?api-version=2019-09-01 + response: + body: + string: "{\"value\":[{\"properties\":{\"displayName\":\"Microsoft Managed Control + 1599 - Developer Configuration Management | Software / Firmware Integrity + Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1599\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0004bbf0-5099-4179-869e-e9ffe5fb0945\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0004bbf0-5099-4179-869e-e9ffe5fb0945\"},{\"properties\":{\"displayName\":\"Audit + virtual machines without disaster recovery configured\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + virtual machines which do not have disaster recovery configured. To learn + more about disaster recovery, visit https://aka.ms/asr-doc.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Resources/links\",\"existenceCondition\":{\"field\":\"name\",\"like\":\"ASR-Protect-*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Sockets state for a Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + Web Sockets protocol is vulnerable to different types of security threats. + Use of Web Sockets within an Function app must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/001802d1-4969-4c82-a700-c29c6c6f9bbd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"001802d1-4969-4c82-a700-c29c6c6f9bbd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1375 - Incident Response Assistance | Automation Support For + Availability Of Information / Support\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1375\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/00379355-8932-4b52-b63a-3bc6daf3451a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"00379355-8932-4b52-b63a-3bc6daf3451a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1605 - Developer Security Testing And Evaluation | Static + Code Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1605\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0062eb8b-dc75-4718-8ea5-9bb4a9606655\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0062eb8b-dc75-4718-8ea5-9bb4a9606655\"},{\"properties\":{\"displayName\":\"Azure + Backup should be enabled for Virtual Machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy helps audit if Azure Backup service is enabled for all Virtual machines. + Azure Backup is a cost-effective, one-click backup solution simplifies data + recovery and is easier to enable than other cloud backup services.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"backup\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.RecoveryServices/backupprotecteditems\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"013e242c-8828-4970-87b3-ab247555486d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1142 - Security Assessment And Authorization Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1142\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01524fa8-4555-48ce-ba5f-c3b8dcef5147\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01524fa8-4555-48ce-ba5f-c3b8dcef5147\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1099 - Security Training Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1099\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01910bab-8639-4bd0-84ef-cc53b24d79ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01910bab-8639-4bd0-84ef-cc53b24d79ba\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1285 - Telecommunications Services | Provider Contingency + Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1285\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/01f7726b-db54-45c2-bcb5-9bd7a43796ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"01f7726b-db54-45c2-bcb5-9bd7a43796ee\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1709 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1709\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/025992d6-7fee-4137-9bbf-2ffc39c0686c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"025992d6-7fee-4137-9bbf-2ffc39c0686c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1052 - Session Lock\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1052\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/027cae1c-ec3e-4492-9036-4168d540c42a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"027cae1c-ec3e-4492-9036-4168d540c42a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1034 - Least Privilege\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1034\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02a5ed00-6d2e-4e97-9a98-46c32c057329\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02a5ed00-6d2e-4e97-9a98-46c32c057329\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs on which the remote host connection status + does not match the specified one\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines on which the remote host connection status + does not match the specified one. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsRemoteConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02a84be7-c304-421f-9bb7-5d2c26af54ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02a84be7-c304-421f-9bb7-5d2c26af54ad\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1623 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1623\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02ce1b22-412a-4528-8630-c42146f917ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02ce1b22-412a-4528-8630-c42146f917ed\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1515 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1515\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/02dd141a-a2b2-49a7-bcbd-ca31142f6211\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"02dd141a-a2b2-49a7-bcbd-ca31142f6211\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1327 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1327\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03188d8f-1ae5-4fe1-974d-2d7d32ef937d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03188d8f-1ae5-4fe1-974d-2d7d32ef937d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1229 - Information System Component Inventory | No Duplicate + Accounting Of Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1229\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03752212-103c-4ab8-a306-7e813022ca9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03752212-103c-4ab8-a306-7e813022ca9d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1123 - Audit Review, Analysis, And Reporting | Audit Level + Adjustment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1123\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03996055-37a4-45a5-8b70-3f1caa45f87d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03996055-37a4-45a5-8b70-3f1caa45f87d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1474 - Emergency Power | Long-Term Alternate Power Supply + - Minimal Operational Capability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1474\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03ad326e-d7a1-44b1-9a76-e17492efc9e4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03ad326e-d7a1-44b1-9a76-e17492efc9e4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1227 - Information System Component Inventory | Automated + Unauthorized Component Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1227\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03b78f5e-4877-4303-b0f4-eb6583f25768\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03b78f5e-4877-4303-b0f4-eb6583f25768\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1361 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1361\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/03ed3be1-7276-4452-9a5d-e4168565ac67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"03ed3be1-7276-4452-9a5d-e4168565ac67\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1594 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1594\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/042ba2a1-8bb8-45f4-b080-c78cf62b90e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"042ba2a1-8bb8-45f4-b080-c78cf62b90e9\"},{\"properties\":{\"displayName\":\"SQL + managed instance TDE protector should be encrypted with your own key\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + Data Encryption (TDE) with your own key support provides increased transparency + and control over the TDE Protector, increased security with an HSM-backed + external service, and promotion of separation of duties.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/encryptionProtector\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/serverKeyType\",\"equals\":\"AzureKeyVault\"},{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/uri\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/managedInstances/encryptionProtector/uri\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/048248b0-55cd-46da-b1ff-39efd52db260\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"048248b0-55cd-46da-b1ff-39efd52db260\"},{\"properties\":{\"displayName\":\"[Preview]: + Network traffic data collection agent should be installed on Linux virtual + machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Security + Center uses the Microsoft Monitoring Dependency Agent to collect network traffic + data from your Azure virtual machines to enable advanced network protection + features such as traffic visualization on the network map, network hardening + recommendations and specific network threats.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":\"true\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable Dependency Agent for Linux VMs + monitoring\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04c4380f-3fae-46e8-96c9-30193528f602\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04c4380f-3fae-46e8-96c9-30193528f602\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Service Bus to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Service Bus to stream to a regional Log Analytics + workspace when any Service Bus which is missing this diagnostic settings is + created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04d53d87-841c-4f23-8a5b-21564380b55e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1572 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1572\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/04f5fb00-80bb-48a9-a75b-4cb4d4c97c36\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04f5fb00-80bb-48a9-a75b-4cb4d4c97c36\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Log Analytics Agent for Linux VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Log Analytics Agent for Linux VMs if the VM Image (OS) is in the list defined + and the agent is not installed.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Log Analytics workspace\",\"description\":\"Select Log Analytics workspace + from dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"OmsAgentForLinux\",\"vmExtensionTypeHandlerVersion\":\"1.7\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), + '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), + '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), + '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"053d3325-282c-4e5c-b944-24faffd30d77\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1331 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1331\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05460fe2-301f-4ed1-8174-d62c8bb92ff4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05460fe2-301f-4ed1-8174-d62c8bb92ff4\"},{\"properties\":{\"displayName\":\"Vulnerability + Assessment settings for SQL server should contain an email address to receive + scan reports\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure + that an email address is provided for the 'Send scan reports to' field in + the Vulnerability Assessment settings. This email address receives scan result + summary after a periodic scan runs on SQL servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/vulnerabilityAssessments/default.recurringScans.emails[*]\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Azure Data Lake Store should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Data + Lake\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"057ef27e-665e-4328-8ea3-04b3122bd9fb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1132 - Protection Of Audit Information | Audit Backup On Separate + Physical Systems / Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1132\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05938e10-cdbd-4a54-9b2b-1cbcfc141ad0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05938e10-cdbd-4a54-9b2b-1cbcfc141ad0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1223 - Information System Component Inventory\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1223\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05a1bb01-ad5a-49c1-aad3-b0c893b2ec3a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1640 - Transmission Confidentiality And Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1640\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05a289ce-6a20-4b75-a0f3-dc8601b6acd0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05a289ce-6a20-4b75-a0f3-dc8601b6acd0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1420 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1420\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/05ae08cc-a282-413b-90c7-21a2c60b8404\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"05ae08cc-a282-413b-90c7-21a2c60b8404\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1658 - Secure Name / Address Resolution Service (Recursive + Or Caching Resolver)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1658\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/063b540e-4bdc-4e7a-a569-3a42ddf22098\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"063b540e-4bdc-4e7a-a569-3a42ddf22098\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1688 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1688\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/063c3f09-e0f0-4587-8fd5-f4276fae675f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"063c3f09-e0f0-4587-8fd5-f4276fae675f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1332 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1332\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/068260be-a5e6-4b0a-a430-cd27071c226a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"068260be-a5e6-4b0a-a430-cd27071c226a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1455 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1455\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/068a88d4-e520-434e-baf0-9005a8164e6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"068a88d4-e520-434e-baf0-9005a8164e6a\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit SQL DB Level Audit Setting\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + DB level audit setting for SQL databases\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"SQL\",\"deprecated\":true},\"parameters\":{\"setting\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Audit Setting\"},\"allowedValues\":[\"enabled\",\"disabled\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"[parameters('setting')]\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06a78e20-9358-41c9-923c-fb736d382a12\"},{\"properties\":{\"displayName\":\"Audit + VMs that do not use managed disks\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits VMs that do not use managed disks\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/virtualMachines/osDisk.uri\",\"exists\":\"True\"}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/VirtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/osDisk.vhdContainers\",\"exists\":\"True\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/osdisk.imageUrl\",\"exists\":\"True\"}]}]}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06a78e20-9358-41c9-923c-fb736d382a4d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1366 - Incident Handling | Information Correlation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1366\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/06c45c30-ae44-4f0f-82be-41331da911cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"06c45c30-ae44-4f0f-82be-41331da911cc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1633 - Boundary Protection | Route Traffic To Authenticated + Proxy Servers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1633\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/07557aa0-e02f-4460-9a81-8ecd2fed601a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"07557aa0-e02f-4460-9a81-8ecd2fed601a\"},{\"properties\":{\"displayName\":\"CORS + should not allow every resource to access your Function Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + Resource Sharing (CORS) should not allow all domains to access your Function + app. Allow only required domains to interact with your Function app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0820b7b9-23aa-4725-a1ce-ae4558f718e5\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Log Analytics Agent for Windows VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Log Analytics Agent for Windows VMs if the VM Image (OS) is in the list defined + and the agent is not installed. The list of OS images will be updated over + time as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Log Analytics workspace\",\"description\":\"Select Log Analytics workspace + from dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example + values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"MicrosoftMonitoringAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"MicrosoftMonitoringAgent\",\"vmExtensionTypeHandlerVersion\":\"1.0\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), + '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), + '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), + '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0868462e-646c-4fe3-9ced-a733534b6a2c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0868462e-646c-4fe3-9ced-a733534b6a2c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1583 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1583\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0882d488-8e80-4466-bc0f-0cd15b6cb66d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0882d488-8e80-4466-bc0f-0cd15b6cb66d\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Applications that are not using latest supported PHP Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported PHP version for the latest security classes. Using older + classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPHP\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08b17839-76c6-4015-90e0-33d9d54d219c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08b17839-76c6-4015-90e0-33d9d54d219c\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Search Services to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Search Services to stream to a regional Log Analytics + workspace when any Search Services which is missing this diagnostic settings + is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Search/searchServices/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08ba64b8-738f-4918-9686-730d2ed79c7d\"},{\"properties\":{\"displayName\":\"Adaptive + Network Hardening recommendations should be applied on internet facing virtual + machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + Security Center analyzes the traffic patterns of Internet facing virtual machines + and provides Network Security Group rule recommendations that reduce the potential + attack surface\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"adaptiveNetworkHardenings\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"08e6af2d-db70-460a-bfe9-d5bd474ba9d6\"},{\"properties\":{\"displayName\":\"There + should be more than one owner assigned to your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + is recommended to designate more than one subscription owner in order to have + administrator access redundancy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DesignateMoreThanOneOwner\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09024ccc-0c5f-475e-9457-b7c0d9ed487b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1159 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1159\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0925f098-7877-450b-8ba4-d1e55f2d8795\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0925f098-7877-450b-8ba4-d1e55f2d8795\"},{\"properties\":{\"displayName\":\"Disk + encryption should be applied on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"VMs + without an enabled disk encryption will be monitored by Azure Security Center + as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"encryption\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0961003e-5a0a-4549-abde-af6a37f2724d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1302 - Identification And Authentication (Org. Users) | Network + Access To Non-Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1302\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09828c65-e323-422b-9774-9d5c646124da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09828c65-e323-422b-9774-9d5c646124da\"},{\"properties\":{\"displayName\":\"Configure + backup on VMs of a location to an existing central Vault in the same location\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy configures Azure Backup protection on VMs in a given location to an + existing central vault in the same location. It applies to only those VMs + that are not already configured for backup. It is recommended that this policy + is assigned to not more than 200 VMs. If the policy is assigned for more than + 200 VMs, it can result in the backup getting triggered a few hours beyond + the defined schedule. This policy will be enhanced to support more VM images.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Backup\"},\"parameters\":{\"vaultLocation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Location + (Specify the location of the VMs that you want to protect)\",\"description\":\"Specify + the location of the VMs that you want to protect. VMs should be backed up + to a vault in the same location.\\nFor example - southeastasia\",\"strongType\":\"location\"}},\"backupPolicyId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Backup + Policy (of type Azure VM from a vault in the location chosen above)\",\"description\":\"Specify + the id of the Azure backup policy to configure backup of the virtual machines. + The selected Azure backup policy should be of type Azure virtual machine. + This policy needs to be in a vault that is present in the location chosen + above.\\nFor example - /subscriptions//resourceGroups//providers/Microsoft.RecoveryServices/vaults//backupPolicies/\",\"strongType\":\"Microsoft.RecoveryServices/vaults/backupPolicies\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"deployIfNotExists\",\"auditIfNotExists\",\"disabled\"],\"defaultValue\":\"deployIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"location\",\"equals\":\"[parameters('vaultLocation')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\",\"/providers/microsoft.authorization/roleDefinitions/5e467623-bb1f-42f4-a55d-6e525e11384b\"],\"type\":\"Microsoft.RecoveryServices/backupprotecteditems\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"backupPolicyId\":{\"type\":\"String\"},\"fabricName\":{\"type\":\"String\"},\"protectionContainers\":{\"type\":\"String\"},\"protectedItems\":{\"type\":\"String\"},\"sourceResourceId\":{\"type\":\"String\"}},\"resources\":[{\"apiVersion\":\"2017-05-10\",\"name\":\"[concat('DeployProtection-',uniqueString(parameters('protectedItems')))]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[first(skip(split(parameters('backupPolicyId'), + '/'), 4))]\",\"subscriptionId\":\"[first(skip(split(parameters('backupPolicyId'), + '/'), 2))]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"backupPolicyId\":{\"type\":\"String\"},\"fabricName\":{\"type\":\"String\"},\"protectionContainers\":{\"type\":\"String\"},\"protectedItems\":{\"type\":\"String\"},\"sourceResourceId\":{\"type\":\"String\"}},\"resources\":[{\"type\":\"Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems\",\"name\":\"[concat(first(skip(split(parameters('backupPolicyId'), + '/'), 8)), '/', parameters('fabricName'), '/',parameters('protectionContainers'), + '/', parameters('protectedItems'))]\",\"apiVersion\":\"2016-06-01\",\"properties\":{\"protectedItemType\":\"Microsoft.Compute/virtualMachines\",\"policyId\":\"[parameters('backupPolicyId')]\",\"sourceResourceId\":\"[parameters('sourceResourceId')]\"}}]},\"parameters\":{\"backupPolicyId\":{\"value\":\"[parameters('backupPolicyId')]\"},\"fabricName\":{\"value\":\"[parameters('fabricName')]\"},\"protectionContainers\":{\"value\":\"[parameters('protectionContainers')]\"},\"protectedItems\":{\"value\":\"[parameters('protectedItems')]\"},\"sourceResourceId\":{\"value\":\"[parameters('sourceResourceId')]\"}}}}]},\"parameters\":{\"backupPolicyId\":{\"value\":\"[parameters('backupPolicyId')]\"},\"fabricName\":{\"value\":\"Azure\"},\"protectionContainers\":{\"value\":\"[concat('iaasvmcontainer;iaasvmcontainerv2;', + resourceGroup().name, ';' ,field('name'))]\"},\"protectedItems\":{\"value\":\"[concat('vm;iaasvmcontainerv2;', + resourceGroup().name, ';' ,field('name'))]\"},\"sourceResourceId\":{\"value\":\"[concat('/subscriptions/', + subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Compute/virtualMachines/',field('name'))]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/09ce66bc-1220-4153-8104-e3f51c936913\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"09ce66bc-1220-4153-8104-e3f51c936913\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1654 - Voice Over Internet Protocol\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1654\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a2ee16e-ab1f-414a-800b-d1608835862b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a2ee16e-ab1f-414a-800b-d1608835862b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1402 - Controlled Maintenance | Automated Maintenance Activities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1402\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a560d32-8075-4fec-9615-9f7c853f4ea9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a560d32-8075-4fec-9615-9f7c853f4ea9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1428 - Media Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1428\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a77fcc7-b8d8-451a-ab52-56197913c0c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a77fcc7-b8d8-451a-ab52-56197913c0c7\"},{\"properties\":{\"displayName\":\"Audit + resource location matches resource group location\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + that the resource location matches its resource group location\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"policyRule\":{\"if\":{\"field\":\"location\",\"notIn\":[\"[resourcegroup().location]\",\"global\"]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a914e76-4921-4c19-b460-a2d36003525a\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'System Audit + Policies - Account Management'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'System Audit Policies + - Account Management'. It also creates a system-assigned managed identity + and deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a9991e6-21be-49f9-8916-a06d934bcf29\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a9991e6-21be-49f9-8916-a06d934bcf29\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1044 - Unsuccessful Logon Attempts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1044\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0abbac52-57cf-450d-8408-1208d0dd9e90\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0abbac52-57cf-450d-8408-1208d0dd9e90\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1253 - Contingency Plan | Resume Essential Missions / Business + Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1253\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0afce0b3-dd9f-42bb-af28-1e4284ba8311\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0afce0b3-dd9f-42bb-af28-1e4284ba8311\"},{\"properties\":{\"displayName\":\"Email + notification to subscription owner for high severity alerts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable + emailing security alerts to the subscription owner, in order to have them + receive security alert emails from Microsoft. This ensures that they are aware + of any potential security issues and can mitigate the risk in a timely fashion\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/alertsToAdmins\",\"notEquals\":\"Off\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b15565f-aa9e-48ba-8619-45960f2c314d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1046 - Automatic Account Lock | Purge / Wipe Mobile Device\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1046\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b1aa965-7502-41f9-92be-3e2fe7cc392a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b1aa965-7502-41f9-92be-3e2fe7cc392a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1020 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1020\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b291ee8-3140-4cad-beb7-568c077c78ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b291ee8-3140-4cad-beb7-568c077c78ce\"},{\"properties\":{\"displayName\":\"Key + Vault objects should be recoverable\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits if key vault objects are not recoverable. Soft Delete feature + helps to effectively hold the resources for a given retention period (90 days) + even after a DELETE operation, while giving the appearance that the object + is deleted. When 'Purge protection' is on, a vault or an object in deleted + state cannot be purged until the retention period of 90 days has passed. These + vaults and objects can still be recovered, assuring customers that the retention + policy will be followed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key + Vault\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},{\"anyOf\":[{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"exists\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enablePurgeProtection\",\"exists\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enableSoftDelete\",\"equals\":\"false\"},{\"field\":\"Microsoft.KeyVault/vaults/enablePurgeProtection\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1115 - Audit Review, Analysis, And Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1115\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0b653845-2ad9-4e09-a4f3-5a7c1d78353d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0b653845-2ad9-4e09-a4f3-5a7c1d78353d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1239 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1239\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0be51298-f643-4556-88af-d7db90794879\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0be51298-f643-4556-88af-d7db90794879\"},{\"properties\":{\"displayName\":\"Ensure + API app has 'Client Certificates (Incoming client certificates)' set to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client + certificates allow for the app to request a certificate for incoming requests. + Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0c192fe8-9cbb-4516-85b3-0ade8bd03886\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0c192fe8-9cbb-4516-85b3-0ade8bd03886\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1496 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1496\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ca96127-2f87-46ab-a4fc-0d2a786df1c8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ca96127-2f87-46ab-a4fc-0d2a786df1c8\"},{\"properties\":{\"displayName\":\"SQL + server TDE protector should be encrypted with your own key\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + Data Encryption (TDE) with your own key support provides increased transparency + and control over the TDE Protector, increased security with an HSM-backed + external service, and promotion of separation of duties.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/encryptionProtector\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/servers/encryptionProtector/serverKeyType\",\"equals\":\"AzureKeyVault\"},{\"field\":\"Microsoft.Sql/servers/encryptionProtector/uri\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/servers/encryptionProtector/uri\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d134df8-db83-46fb-ad72-fe0c9428c8dd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d134df8-db83-46fb-ad72-fe0c9428c8dd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1518 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1518\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d58f734-c052-40e9-8b2f-a1c2bff0b815\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d58f734-c052-40e9-8b2f-a1c2bff0b815\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1713 - Software, Firmware, And Information Integrity | Integrity + Checks\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1713\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d87c70b-5012-48e9-994b-e70dd4b8def0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d87c70b-5012-48e9-994b-e70dd4b8def0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1466 - Visitor Access Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1466\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d943a9c-a6f1-401f-a792-740cdb09c451\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d943a9c-a6f1-401f-a792-740cdb09c451\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs on which Windows Defender Exploit Guard + is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines on which Windows Defender Exploit Guard + is not enabled. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDefenderExploitGuard\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0d9b45ff-9ddd-43fc-bf59-fbd1c8423053\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0d9b45ff-9ddd-43fc-bf59-fbd1c8423053\"},{\"properties\":{\"displayName\":\"Managed + identity should be used in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0da106f2-4ca3-48e8-bc85-c638fe6aea8f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1718 - Software, Firmware, And Information Integrity | Binary + Or Machine Executable Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1718\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0dced7ab-9ce5-4137-93aa-14c13e06ab17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0dced7ab-9ce5-4137-93aa-14c13e06ab17\"},{\"properties\":{\"displayName\":\"[Preview]: + Authorized IP ranges should be defined on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Restrict + access to the Kubernetes Service Management API by granting API access only + to IP addresses in specific ranges. It is recommended to limit access to authorized + IP ranges to ensure that only applications from allowed networks can access + the cluster.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security + Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"field\":\"Microsoft.ContainerService/managedClusters/apiServerAccessProfile.authorizedIPRanges\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0e246bcf-5f6f-4f87-bc6f-775d4712c7ea\"},{\"properties\":{\"displayName\":\"Remote + debugging should be turned off for Function Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + debugging requires inbound ports to be opened on an function app. Remote debugging + should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0e60b895-3786-45da-8377-9c6b4b6ac5f9\"},{\"properties\":{\"displayName\":\"Geo-redundant + backup should be enabled for Azure Database for MariaDB\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Azure Database for MariaDB with geo-redundant backup not + enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMariaDB/servers\"},{\"field\":\"Microsoft.DBforMariaDB/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ec47710-77ff-4a3d-9181-6aa50af424d0\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to enable Guest Configuration Policy on Windows VMs.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration on Windows VMs. This is a prerequisites for Guest + Configuration Policy and must be assigned to the scope before using any Guest + Configuration policy. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"AzurePolicyforWindows\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.GuestConfiguration\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"ConfigurationforWindows\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ecd903d-91e7-4726-83d3-a229d7f2e293\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ecd903d-91e7-4726-83d3-a229d7f2e293\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1601 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1601\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0ee79a0c-addf-4ce9-9b3c-d9576ed5e20e\"},{\"properties\":{\"displayName\":\"[Preview]: + Audit Azure Spring Cloud instances where distributed tracing is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"With + the distributed tracing tools in Azure Spring Cloud, you can easily debug + and monitor complex issues. Azure Spring Cloud integrates Azure Spring Cloud + Sleuth with Azure's Application Insights. This integration provides powerful + distributed tracing capability from the Azure portal.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"App + Platform\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.AppPlatform/Spring\"},{\"anyOf\":[{\"field\":\"Microsoft.AppPlatform/Spring/trace.enabled\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.AppPlatform/Spring/trace.state\",\"notEquals\":\"Succeeded\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f2d8593-4667-4932-acca-6a9f187af109\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f2d8593-4667-4932-acca-6a9f187af109\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1476 - Fire Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1476\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f3c4ac2-3e35-4906-a80b-473b12a622d7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f3c4ac2-3e35-4906-a80b-473b12a622d7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1204 - Access Restrictions For Change | Review System Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1204\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f4f6750-d1ab-4a4c-8dfd-af3237682665\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f4f6750-d1ab-4a4c-8dfd-af3237682665\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1430 - Media Marking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1430\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f559588-5e53-4b14-a7c4-85d28ebc2234\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f559588-5e53-4b14-a7c4-85d28ebc2234\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1574 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1574\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f935dab-83d6-47b8-85ef-68b8584161b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f935dab-83d6-47b8-85ef-68b8584161b9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1164 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1164\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0fb8d3ce-9e96-481c-9c68-88d4e3019310\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0fb8d3ce-9e96-481c-9c68-88d4e3019310\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1017 - Account Management | Inactivity Logout\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1017\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0fc3db37-e59a-48c1-84e9-1780cedb409e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0fc3db37-e59a-48c1-84e9-1780cedb409e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1087 - Security Awareness And Training Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1087\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/100c82ba-42e9-4d44-a2ba-94b209248583\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"100c82ba-42e9-4d44-a2ba-94b209248583\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that do not contain the specified + certificates in Trusted Root\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows VMs that + do not contain the specified certificates in the Trusted Root Certification + Authorities certificate store (Cert:\\\\LocalMachine\\\\Root). It also creates + a system-assigned managed identity and deploys the VM extension for Guest + Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"CertificateThumbprints\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Certificate thumbprints\",\"description\":\"A semicolon-separated list of + certificate thumbprints that should exist under the Trusted Root certificate + store (Cert:\\\\LocalMachine\\\\Root). e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsCertificateInTrustedRoot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', + '=', parameters('CertificateThumbprints')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsCertificateInTrustedRoot\"},\"CertificateThumbprints\":{\"value\":\"[parameters('CertificateThumbprints')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"CertificateThumbprints\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprints')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprints')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/106ccbe4-a791-4f33-a44a-06796944b8d5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"106ccbe4-a791-4f33-a44a-06796944b8d5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1554 - Vulnerability Scanning | Discoverable Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1554\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10984b4e-c93e-48d7-bf20-9c03b04e9eca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10984b4e-c93e-48d7-bf20-9c03b04e9eca\"},{\"properties\":{\"displayName\":\"Ensure + that '.Net Framework' version is the latest, if used as a part of the Function + App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for .Net Framework software either due to security + flaws or to include additional functionality. Using the latest .Net framework + version for web apps is recommended in order to to take advantage of security + fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10c1859c-e1a7-4df3-ab97-a487fa8059f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10c1859c-e1a7-4df3-ab97-a487fa8059f6\"},{\"properties\":{\"displayName\":\"Custom + subscription owner roles should not exist\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy ensures that no custom subscription owner roles exist.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Authorization/roleDefinitions\"},{\"field\":\"Microsoft.Authorization/roleDefinitions/type\",\"equals\":\"CustomRole\"},{\"anyOf\":[{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/permissions[*].actions[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/permissions.actions[*]\",\"notEquals\":\"*\"}}]},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/assignableScopes[*]\",\"notIn\":[\"[concat(subscription().id,'/')]\",\"[subscription().id]\",\"/\"]}},{\"not\":{\"field\":\"Microsoft.Authorization/roleDefinitions/assignableScopes[*]\",\"notLike\":\"/providers/Microsoft.Management/*\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1230 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1230\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/11158848-f679-4e9b-aa7b-9fb07d945071\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"11158848-f679-4e9b-aa7b-9fb07d945071\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1432 - Media Storage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1432\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1140e542-b80d-4048-af45-3f7245be274b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1140e542-b80d-4048-af45-3f7245be274b\"},{\"properties\":{\"displayName\":\"[Preview]: + Audit Dependency Agent Deployment - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + VMs as non-compliant if the VM Image (OS) is not in the list defined and the + agent is not installed. The list of OS images will be updated over time as + support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"Centos\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/11ac78e3-31bc-4f0c-8434-37ab963cea07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"11ac78e3-31bc-4f0c-8434-37ab963cea07\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1655 - Voice Over Internet Protocol\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1655\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/121eab72-390e-4629-a7e2-6d6184f57c6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"121eab72-390e-4629-a7e2-6d6184f57c6b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1681 - Malicious Code Protection | Automatic Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1681\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12623e7e-4736-4b2e-b776-c1600f35f93a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12623e7e-4736-4b2e-b776-c1600f35f93a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1240 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1240\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/129eb39f-d79a-4503-84cd-92f036b5e429\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"129eb39f-d79a-4503-84cd-92f036b5e429\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - System objects'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + System objects'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemobjects\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsSystemobjects\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12ae2d24-3805-4b37-9fa9-465968bfbcfa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12ae2d24-3805-4b37-9fa9-465968bfbcfa\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1666 - System And Information Integrity Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1666\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12e30ee3-61e6-4509-8302-a871e8ebb91e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12e30ee3-61e6-4509-8302-a871e8ebb91e\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs that do not have the specified applications + installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that do not have the specified applications installed. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"installedApplication\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application + names (supports wildcards)\",\"description\":\"A semicolon-separated list + of the names of the applications that should be installed. e.g. 'Microsoft + SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL + Server 2014*' (to match any application starting with 'Microsoft SQL Server + 2014')\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WhitelistedApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[InstalledApplication]bwhitelistedapp;Name', + '=', parameters('installedApplication')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WhitelistedApplication\"},\"installedApplication\":{\"value\":\"[parameters('installedApplication')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"installedApplication\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]bwhitelistedapp;Name\",\"value\":\"[parameters('installedApplication')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]bwhitelistedapp;Name\",\"value\":\"[parameters('installedApplication')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12f7e5d0-42a7-4630-80d8-54fb7cff9bd6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12f7e5d0-42a7-4630-80d8-54fb7cff9bd6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1347 - Identification And Authentication (Non-Org. Users) + | Acceptance Of PIV Creds. From Other Agys.\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1347\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/131a2706-61e9-4916-a164-00e052056462\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"131a2706-61e9-4916-a164-00e052056462\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1450 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1450\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/134d7a13-ba3e-41e2-b236-91bfcfa24e01\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"134d7a13-ba3e-41e2-b236-91bfcfa24e01\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1184 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1184\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13579d0e-0ab0-4b26-b0fb-d586f6d7ed20\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13579d0e-0ab0-4b26-b0fb-d586f6d7ed20\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1085 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1085\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13d117e0-38b0-4bbb-aaab-563be5dd10ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13d117e0-38b0-4bbb-aaab-563be5dd10ba\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1404 - Maintenance Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1404\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13d8f903-0cd6-449f-a172-50f6579c182b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13d8f903-0cd6-449f-a172-50f6579c182b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1695 - Information System Monitoring | Wireless Intrusion + Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1695\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/13fcf812-ec82-4eda-9b89-498de9efd620\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"13fcf812-ec82-4eda-9b89-498de9efd620\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs in which the Administrators group contains + any of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + in which the Administrators group contains any of the specified members. It + also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MembersToExclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members + to exclude\",\"description\":\"A semicolon-separated list of members that + should be excluded in the Administrators local group. Ex: Administrator; myUser1; + myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToExclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;MembersToExclude', + '=', parameters('MembersToExclude')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembersToExclude\"},\"MembersToExclude\":{\"value\":\"[parameters('MembersToExclude')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MembersToExclude\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToExclude\",\"value\":\"[parameters('MembersToExclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToExclude\",\"value\":\"[parameters('MembersToExclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/144f1397-32f9-4598-8c88-118decc3ccba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"144f1397-32f9-4598-8c88-118decc3ccba\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1157 - Plan Of Action And Milestones\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1157\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/15495367-cf68-464c-bbc3-f53ca5227b7a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"15495367-cf68-464c-bbc3-f53ca5227b7a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1491 - Security Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1491\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1571dd40-dafc-4ef4-8f55-16eba27efc7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1571dd40-dafc-4ef4-8f55-16eba27efc7b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1564 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1564\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/157f0ef9-143f-496d-b8f9-f8c8eeaad801\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"157f0ef9-143f-496d-b8f9-f8c8eeaad801\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that do not have a minimum password + age of 1 day\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that do not have a minimum password age of 1 day. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordAge\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MinimumPasswordAge\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16390df4-2f73-4b42-af13-c801066763df\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16390df4-2f73-4b42-af13-c801066763df\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1662 - Fail In Known State\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1662\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/165cb91f-7ea8-4ab7-beaf-8636b98c9d15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"165cb91f-7ea8-4ab7-beaf-8636b98c9d15\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1684 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1684\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16bfdb59-db38-47a5-88a9-2e9371a638cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16bfdb59-db38-47a5-88a9-2e9371a638cf\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs that do not have the specified Windows PowerShell + modules installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that do not have the specified Windows PowerShell + modules installed. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellModules\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16f9b37c-4408-4c30-bc17-254958f2e2d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16f9b37c-4408-4c30-bc17-254958f2e2d6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1103 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1103\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16feeb31-6377-437e-bbab-d7f73911896d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16feeb31-6377-437e-bbab-d7f73911896d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1007 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1007\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17200329-bf6c-46d8-ac6d-abf4641c2add\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17200329-bf6c-46d8-ac6d-abf4641c2add\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1349 - Identification And Authentication (Non-Org. Users) + | Use Of FICAM-Approved Products\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1349\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17641f70-94cd-4a5d-a613-3d1143e20e34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17641f70-94cd-4a5d-a613-3d1143e20e34\"},{\"properties\":{\"displayName\":\"Deploy + associations for a managed application\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + an association resource that associates selected resource types to the specified + managed application. This policy deployment does not support nested resource + types.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Managed Application\"},\"parameters\":{\"targetManagedApplicationId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Managed + application ID\",\"description\":\"Resource ID of the managed application + to which resources need to be associated.\"}},\"resourceTypesToAssociate\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource + types to associate\",\"description\":\"The list of resource types to be associated + to the managed application.\",\"strongType\":\"resourceTypes\"}},\"associationNamePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Association + name prefix\",\"description\":\"Prefix to be added to the name of the association + resource being created.\"},\"defaultValue\":\"DeployedByPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('resourceTypesToAssociate')]\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.CustomProviders/Associations\",\"name\":\"[concat(parameters('associationNamePrefix'), + '-', uniqueString(parameters('targetManagedApplicationId')))]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"associatedResourceName\":{\"type\":\"string\"},\"resourceTypesToAssociate\":{\"type\":\"string\"},\"targetManagedApplicationId\":{\"type\":\"string\"},\"associationNamePrefix\":{\"type\":\"string\"}},\"variables\":{\"resourceType\":\"[concat(parameters('resourceTypesToAssociate'), + '/providers/associations')]\",\"resourceName\":\"[concat(parameters('associatedResourceName'), + '/microsoft.customproviders/', parameters('associationNamePrefix'), '-', uniqueString(parameters('targetManagedApplicationId')))]\"},\"resources\":[{\"type\":\"Microsoft.Resources/deployments\",\"apiVersion\":\"2017-05-10\",\"name\":\"[concat(deployment().Name, + '-2')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"type\":\"[variables('resourceType')]\",\"name\":\"[variables('resourceName')]\",\"apiVersion\":\"2018-09-01-preview\",\"properties\":{\"targetResourceId\":\"[parameters('targetManagedApplicationId')]\"}}]}}}]},\"parameters\":{\"resourceTypesToAssociate\":{\"value\":\"[field('type')]\"},\"associatedResourceName\":{\"value\":\"[field('name')]\"},\"targetManagedApplicationId\":{\"value\":\"[parameters('targetManagedApplicationId')]\"},\"associationNamePrefix\":{\"value\":\"[parameters('associationNamePrefix')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17763ad9-70c0-4794-9397-53d765932634\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17763ad9-70c0-4794-9397-53d765932634\"},{\"properties\":{\"displayName\":\"Transparent + Data Encryption on SQL databases should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Transparent + data encryption should be enabled to protect data-at-rest and meet compliance + requirements\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"name\":\"current\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/transparentDataEncryption.status\",\"equals\":\"enabled\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"17k78e20-9358-41c9-923c-fb736d382a12\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1325 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1325\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1845796a-7581-49b2-ae20-443121538e19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1845796a-7581-49b2-ae20-443121538e19\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1480 - Temperature And Humidity Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1480\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/18a767cc-1947-4338-a240-bc058c81164f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"18a767cc-1947-4338-a240-bc058c81164f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1369 - Incident Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1369\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/18cc35ed-a429-486d-8d59-cb47e87304ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"18cc35ed-a429-486d-8d59-cb47e87304ed\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1269 - Alternate Storage Site | Separation From Primary Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1269\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/19b9439d-865d-4474-b17d-97d2702fdb66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"19b9439d-865d-4474-b17d-97d2702fdb66\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1071 - Wireless Access | Restrict Configurations By Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1071\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a437f5b-9ad6-4f28-8861-de404d511ae4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a437f5b-9ad6-4f28-8861-de404d511ae4\"},{\"properties\":{\"displayName\":\"Azure + Monitor log profile should collect logs for categories 'write,' 'delete,' + and 'action'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy ensures that a log profile collects logs for categories 'write,' 'delete,' + and 'action'\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logprofiles\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Write\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Delete\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/categories[*]\",\"notEquals\":\"Action\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a4e592a-6a6e-44a5-9814-e36264ca96e7\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Access to App Services should be restricted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure + security center has discovered that the networking configuration of some of + your app services are overly permissive and allow inbound traffic from ranges + that are too broad\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"Disabled\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"restrictAccessToAppServices\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a833ff1-d297-4a0f-9944-888428f8e0ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a833ff1-d297-4a0f-9944-888428f8e0ff\"},{\"properties\":{\"displayName\":\"Vulnerability + assessment should be enabled on your SQL managed instances\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + SQL managed instances which do not have recurring vulnerability assessment + scans enabled. Vulnerability assessment can discover, track, and help you + remediate potential database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/vulnerabilityAssessments/recurringScans.isEnabled\",\"equals\":\"True\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1b7aa243-30e4-4c9e-bca8-d0d3022b634a\"},{\"properties\":{\"displayName\":\"Ensure + that 'PHP version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for PHP software either due to security flaws + or to include additional functionality. Using the latest PHP version for API + apps is recommended in order to to take advantage of security fixes, if any, + and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest + PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', + parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Dependency Agent for Windows VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Dependency Agent for Windows VMs if the VM Image (OS) is in the list defined + and the agent is not installed. The list of OS images will be updated over + time as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentWindows\",\"vmExtensionTypeHandlerVersion\":\"9.6\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"[concat(parameters('vmName'), + '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1c210e94-a481-4beb-95fa-1571b434fb04\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1c210e94-a481-4beb-95fa-1571b434fb04\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1072 - Wireless Access | Antennas / Transmission Power Levels\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1072\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1ca29e41-34ec-4e70-aba9-6248aca18c31\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1ca29e41-34ec-4e70-aba9-6248aca18c31\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1656 - Secure Name / Address Resolution Service (Authoritative + Source)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1656\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1cb067d5-c8b5-4113-a7ee-0a493633924b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1cb067d5-c8b5-4113-a7ee-0a493633924b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1592 - External Information System Services | Consistent Interests + Of Consumers And Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1592\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d01ba6c-289f-42fd-a408-494b355b6222\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d01ba6c-289f-42fd-a408-494b355b6222\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1088 - Security Awareness And Training Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1088\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d50f99d-1356-49c0-934a-45f742ba7783\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d50f99d-1356-49c0-934a-45f742ba7783\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1538 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1538\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d7658b2-e827-49c3-a2ae-6d2bd0b45874\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d7658b2-e827-49c3-a2ae-6d2bd0b45874\"},{\"properties\":{\"displayName\":\"Virtual + machines should be migrated to new Azure Resource Manager resources\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + new Azure Resource Manager for your virtual machines to provide security enhancements + such as: stronger access control (RBAC), better auditing, ARM-based deployment + and governance, access to managed identities, access to key vault for secrets, + Azure AD-based authentication and support for tags and resource groups for + easier security management\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.ClassicCompute/virtualMachines\",\"Microsoft.Compute/virtualMachines\"]},{\"value\":\"[field('type')]\",\"equals\":\"Microsoft.ClassicCompute/virtualMachines\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1d84d5fb-01f6-4d12-ba4f-4a26081d403d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1298 - Identification And Authentication Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1298\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1dc784b5-4895-4d27-9d40-a06b032bd1ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1dc784b5-4895-4d27-9d40-a06b032bd1ee\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit API Applications that are not using latest supported .NET Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported .NET Framework version for the latest security classes. + Using older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestDotNet\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1de7b11d-1870-41a5-8181-507e7c663cfb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1de7b11d-1870-41a5-8181-507e7c663cfb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1595 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1595\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1e0414e7-6ef5-4182-8076-aa82fbb53341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1e0414e7-6ef5-4182-8076-aa82fbb53341\"},{\"properties\":{\"displayName\":\"Require + tag and its value\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enforces + a required tag and its value. Does not apply to resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"equals\":\"[parameters('tagValue')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1e30110a-5ceb-460c-a204-c1c3969c6d62\"},{\"properties\":{\"displayName\":\"An + Azure Active Directory administrator should be provisioned for SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + provisioning of an Azure Active Directory administrator for your SQL server + to enable Azure AD authentication. Azure AD authentication enables simplified + permission management and centralized identity management of database users + and other Microsoft services\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/administrators\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f314764-cb73-4fc9-b863-8eca98ac36e9\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Event Hub to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Event Hub to stream to a regional Log Analytics + workspace when any Event Hub which is missing this diagnostic settings is + created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.EventHub/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ArchiveLogs\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}},{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutoScaleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"KafkaCoordinatorLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"EventHubVNetConnectionEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CustomerManagedKeyUserLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f6e93e8-6b31-41b1-83f6-36e449a42579\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Shutdown'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Shutdown'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Shutdown: Allow system to be shut down without having to log on\",\"description\":\"Specifies + whether a computer can be shut down when a user is not logged on. If this + policy setting is enabled, the shutdown command is available on the Windows + logon screen.\"},\"defaultValue\":\"0\"},\"ShutdownClearVirtualMemoryPagefile\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Shutdown: Clear virtual memory pagefile\",\"description\":\"Specifies whether + the virtual memory pagefile is cleared when the system is shut down. When + this policy setting is enabled, the system pagefile is cleared each time that + the system shuts down properly. For systems with large amounts of RAM, this + could result in substantial time needed to complete the shutdown.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsShutdown\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Shutdown: + Allow system to be shut down without having to log on;ExpectedValue', '=', + parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn'), ',', 'Shutdown: + Clear virtual memory pagefile;ExpectedValue', '=', parameters('ShutdownClearVirtualMemoryPagefile')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsShutdown\"},\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},\"ShutdownClearVirtualMemoryPagefile\":{\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn\":{\"type\":\"string\"},\"ShutdownClearVirtualMemoryPagefile\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue\",\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},{\"name\":\"Shutdown: + Clear virtual memory pagefile;ExpectedValue\",\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Shutdown: + Allow system to be shut down without having to log on;ExpectedValue\",\"value\":\"[parameters('ShutdownAllowSystemToBeShutDownWithoutHavingToLogOn')]\"},{\"name\":\"Shutdown: + Clear virtual memory pagefile;ExpectedValue\",\"value\":\"[parameters('ShutdownClearVirtualMemoryPagefile')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1f8c20ce-3414-4496-8b26-0e902a1541da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1f8c20ce-3414-4496-8b26-0e902a1541da\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1616 - System And Communications Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1616\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2006457a-48b3-4f7b-8d2e-1532287f9929\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2006457a-48b3-4f7b-8d2e-1532287f9929\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1650 - Public Key Infrastructure Certificates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1650\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/201d3740-bd16-4baf-b4b8-7cda352228b7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"201d3740-bd16-4baf-b4b8-7cda352228b7\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Web ports should be restricted on Network Security Groups associated to your + VM\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure security + center has discovered that some of your virtual machines are running web applications, + and the NSGs associated to these virtual machines are overly permissive with + regards to the web application ports\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"Disabled\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"unprotectedWebApplication\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/201ea587-7c90-41c3-910f-c280ae01cfd6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"201ea587-7c90-41c3-910f-c280ae01cfd6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1181 - Baseline Configuration | Retention Of Previous Configurations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1181\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21839937-d241-4fa5-95c6-b669253d9ab9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21839937-d241-4fa5-95c6-b669253d9ab9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1111 - Response To Audit Processing Failures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1111\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21de687c-f15e-4e51-bf8d-f35c8619965b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21de687c-f15e-4e51-bf8d-f35c8619965b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1596 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1596\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21e25e01-0ae0-41be-919e-04ce92b8e8b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21e25e01-0ae0-41be-919e-04ce92b8e8b8\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Audit'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Audit'. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAudit\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21e2995e-683e-497a-9e81-2f42ad07050a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21e2995e-683e-497a-9e81-2f42ad07050a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1426 - Media Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1426\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/21f639bc-f42b-46b1-8f40-7a2a389c291a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"21f639bc-f42b-46b1-8f40-7a2a389c291a\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit API Apps that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + of custom domains protects a API app from common attacks such as phishing + and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/224da9fe-0d38-4e79-adb3-0a6e2af942ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"224da9fe-0d38-4e79-adb3-0a6e2af942ac\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1399 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1399\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2256e638-eb23-480f-9e15-6cf1af0a76b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2256e638-eb23-480f-9e15-6cf1af0a76b3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1221 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1221\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22589a07-0007-486a-86ca-95355081ae2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22589a07-0007-486a-86ca-95355081ae2a\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'System Audit Policies + - Account Management'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'System Audit Policies - Account Management'. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountManagement\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/225e937e-d32e-4713-ab74-13ce95b3519a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"225e937e-d32e-4713-ab74-13ce95b3519a\"},{\"properties\":{\"displayName\":\"Management + ports should be closed on your virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Open + remote management ports are exposing your VM to a high level of risk from + Internet-based attacks. These attacks attempt to brute force credentials to + gain admin access to the machine.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"restrictAccessToManagementPorts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22730e10-96f6-4aac-ad84-9383d35b5917\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1493 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1493\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22b469b3-fccf-42da-aa3b-a28e6fb113ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22b469b3-fccf-42da-aa3b-a28e6fb113ce\"},{\"properties\":{\"displayName\":\"Only + secure connections to your Redis Cache should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + enabling of only connections via SSL to Redis Cache. Use of secure connections + ensures authentication between the server and the service and protects data + in transit from network layer attacks such as man-in-the-middle, eavesdropping, + and session-hijacking\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Cache\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Cache/redis\"},{\"field\":\"Microsoft.Cache/Redis/enableNonSslPort\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"22bee202-a82f-4305-9a2a-6d7f44d4dedb\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that do not restrict the minimum + password length to 14 characters\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that do not restrict the minimum password length to 14 characters. It also + creates a system-assigned managed identity and deploys the VM extension for + Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordLength\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MinimumPasswordLength\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/23020aa6-1135-4be2-bae2-149982b06eca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"23020aa6-1135-4be2-bae2-149982b06eca\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1256 - Contingency Plan | Identify Critical Assets\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1256\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/232ab24b-810b-4640-9019-74a7d0d6a980\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"232ab24b-810b-4640-9019-74a7d0d6a980\"},{\"properties\":{\"displayName\":\"Service + Bus should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Service Bus not configured to use a virtual network service + endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.ServiceBus/namespaces/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.ServiceBus/namespaces/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/235359c5-7c52-4b82-9055-01c75cf9f60e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"235359c5-7c52-4b82-9055-01c75cf9f60e\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Stream Analytics to stream to a regional Log Analytics + workspace when any Stream Analytics which is missing this diagnostic settings + is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingjobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Execution\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Authoring\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1268 - Alternate Storage Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1268\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/23f6e984-3053-4dfc-ab48-543b764781f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"23f6e984-3053-4dfc-ab48-543b764781f5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1122 - Audit Review, Analysis, And Reporting | Permitted Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1122\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/243ec95e-800c-49d4-ba52-1fdd9f6b8b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"243ec95e-800c-49d4-ba52-1fdd9f6b8b57\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1231 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1231\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/244e0c05-cc45-4fe7-bf36-42dcf01f457d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"244e0c05-cc45-4fe7-bf36-42dcf01f457d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1082 - Information Sharing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1082\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/24d480ef-11a0-4b1b-8e70-4e023bf2be23\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"24d480ef-11a0-4b1b-8e70-4e023bf2be23\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that do not have a maximum password age + of 70 days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that do not have a maximum password age + of 70 days. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MaximumPasswordAge\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/24dde96d-f0b1-425e-884f-4a1421e2dcdc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"24dde96d-f0b1-425e-884f-4a1421e2dcdc\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Data Lake Storage Gen1 to stream to a regional + Log Analytics workspace when any Data Lake Storage Gen1 which is missing this + diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25763a0a-5783-4f14-969e-79d4933eb74b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25763a0a-5783-4f14-969e-79d4933eb74b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1372 - Incident Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1372\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25b96717-c912-4c00-9143-4e487f411726\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25b96717-c912-4c00-9143-4e487f411726\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1038 - Least Privilege | Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1038\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26692e88-71b7-4a5f-a8ac-9f31dd05bd8e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26692e88-71b7-4a5f-a8ac-9f31dd05bd8e\"},{\"properties\":{\"displayName\":\"Endpoint + protection solution should be installed on virtual machine scale sets\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + the existence and health of an endpoint protection solution on your virtual + machines scale sets, to protect them from threats and vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EndpointProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26a828e1-e88f-464e-bbb3-c134a282b9de\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1649 - Collaborative Computing Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1649\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26d292cc-b0b8-4c29-9337-68abc758bf7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26d292cc-b0b8-4c29-9337-68abc758bf7b\"},{\"properties\":{\"displayName\":\"Metric + alert rules should be configured on Batch accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + configuration of metric alert rules on Batch account to enable the required + metric\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Batch\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"metricName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Metric + name\",\"description\":\"The metric name that an alert rule must be enabled + on\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/alertRules\",\"existenceScope\":\"Subscription\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/alertRules/isEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/alertRules/condition.dataSource.metricName\",\"equals\":\"[parameters('metricName')]\"},{\"field\":\"Microsoft.Insights/alertRules/condition.dataSource.resourceUri\",\"equals\":\"[concat('/subscriptions/', + subscription().subscriptionId, '/resourcegroups/', resourceGroup().name, '/providers/Microsoft.Batch/batchAccounts/', + field('name'))]\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1396 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1396\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/276af98f-4ff9-4e69-99fb-c9b2452fb85f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"276af98f-4ff9-4e69-99fb-c9b2452fb85f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1074 - Access Control For Mobile Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1074\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/27a69937-af92-4198-9b86-08d355c7e59a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"27a69937-af92-4198-9b86-08d355c7e59a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1527 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1527\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2823de66-332f-4bfd-94a3-3eb036cd3b67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2823de66-332f-4bfd-94a3-3eb036cd3b67\"},{\"properties\":{\"displayName\":\"Deploy + default Microsoft IaaSAntimalware extension for Windows Server\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy deploys a Microsoft IaaSAntimalware extension with a default configuration + when a VM is not configured with the antimalware extension.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\"]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"ExclusionsPaths\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon + delimited list of file paths or locations to exclude from scanning\"}},\"ExclusionsExtensions\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon + delimited list of file extensions to exclude from scanning\"}},\"ExclusionsProcesses\":{\"type\":\"string\",\"defaultValue\":\"\",\"metadata\":{\"description\":\"Semicolon + delimited list of process names to exclude from scanning\"}},\"RealtimeProtectionEnabled\":{\"type\":\"string\",\"defaultValue\":\"true\",\"metadata\":{\"description\":\"Indicates + whether or not real time protection is enabled (default is true)\"}},\"ScheduledScanSettingsIsEnabled\":{\"type\":\"string\",\"defaultValue\":\"false\",\"metadata\":{\"description\":\"Indicates + whether or not custom scheduled scan settings are enabled (default is false)\"}},\"ScheduledScanSettingsScanType\":{\"type\":\"string\",\"defaultValue\":\"Quick\",\"metadata\":{\"description\":\"Indicates + whether scheduled scan setting type is set to Quick or Full (default is Quick)\"}},\"ScheduledScanSettingsDay\":{\"type\":\"string\",\"defaultValue\":\"7\",\"metadata\":{\"description\":\"Day + of the week for scheduled scan (1-Sunday, 2-Monday, ..., 7-Saturday)\"}},\"ScheduledScanSettingsTime\":{\"type\":\"string\",\"defaultValue\":\"120\",\"metadata\":{\"description\":\"When + to perform the scheduled scan, measured in minutes from midnight (0-1440). + For example: 0 = 12AM, 60 = 1AM, 120 = 2AM.\"}}},\"resources\":[{\"name\":\"[concat(parameters('vmName'),'/IaaSAntimalware')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2017-12-01\",\"properties\":{\"publisher\":\"Microsoft.Azure.Security\",\"type\":\"IaaSAntimalware\",\"typeHandlerVersion\":\"1.3\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"AntimalwareEnabled\":true,\"RealtimeProtectionEnabled\":\"[parameters('RealtimeProtectionEnabled')]\",\"ScheduledScanSettings\":{\"isEnabled\":\"[parameters('ScheduledScanSettingsIsEnabled')]\",\"day\":\"[parameters('ScheduledScanSettingsDay')]\",\"time\":\"[parameters('ScheduledScanSettingsTime')]\",\"scanType\":\"[parameters('ScheduledScanSettingsScanType')]\"},\"Exclusions\":{\"Extensions\":\"[parameters('ExclusionsExtensions')]\",\"Paths\":\"[parameters('ExclusionsPaths')]\",\"Processes\":\"[parameters('ExclusionsProcesses')]\"}}}}]},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"RealtimeProtectionEnabled\":{\"value\":\"true\"},\"ScheduledScanSettingsIsEnabled\":{\"value\":\"true\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2835b622-407b-4114-9198-6f7064cbe0dc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1342 - Authenticator Management | Hardware Token-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1342\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/283a4e29-69d5-4c94-b99e-29acf003c899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"283a4e29-69d5-4c94-b99e-29acf003c899\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1436 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1436\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28aab8b4-74fd-4b7c-9080-5a7be525d574\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28aab8b4-74fd-4b7c-9080-5a7be525d574\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1224 - Information System Component Inventory | Updates During + Installations / Removals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1224\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28cfa30b-7f72-47ce-ba3b-eed26c8d2c82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28cfa30b-7f72-47ce-ba3b-eed26c8d2c82\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1148 - Security Assessments | Independent Assessors\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1148\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28e62650-c7c2-4786-bdfa-17edc1673902\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28e62650-c7c2-4786-bdfa-17edc1673902\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1418 - Nonlocal Maintenance | Comparable Security / Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1418\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/28e633fd-284e-4ea7-88b4-02ca157ed713\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"28e633fd-284e-4ea7-88b4-02ca157ed713\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1634 - Boundary Protection | Prevent Unauthorized Exfiltration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1634\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/292a7c44-37fa-4c68-af7c-9d836955ded2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"292a7c44-37fa-4c68-af7c-9d836955ded2\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + User Account Control'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - User Account Control'. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsUserAccountControl\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/29829ec2-489d-4925-81b7-bda06b1718e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"29829ec2-489d-4925-81b7-bda06b1718e0\"},{\"properties\":{\"displayName\":\"Append + tag and its default value\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Appends + the specified tag and value when any resource which is missing this tag is + created or updated. Does not modify the tags of resources created before this + policy was applied until those resources are changed. Does not apply to resource + groups. New 'modify' effect policies are available that support remediation + of tags on existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2a0e14a6-b0a6-4fab-991a-187a4f81c498\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2a0e14a6-b0a6-4fab-991a-187a4f81c498\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1219 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1219\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2a39ac75-622b-4c88-9a3f-45b7373f7ef7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2a39ac75-622b-4c88-9a3f-45b7373f7ef7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1274 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1274\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2aee175f-cd16-4825-939a-a85349d96210\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2aee175f-cd16-4825-939a-a85349d96210\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1603 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1603\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2b909c26-162f-47ce-8e15-0c1f55632eac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2b909c26-162f-47ce-8e15-0c1f55632eac\"},{\"properties\":{\"displayName\":\"Managed + identity should be used in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2b9ad585-36bc-4615-b300-fd4435808332\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1434 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1434\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c18f06b-a68d-41c3-8863-b8cd3acb5f8f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c18f06b-a68d-41c3-8863-b8cd3acb5f8f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1343 - Authenticator Management | Expiration Of Cached Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1343\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c251a55-31eb-4e53-99c6-e9c43c393ac2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c251a55-31eb-4e53-99c6-e9c43c393ac2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1388 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1388\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c7c575a-d4c5-4f6f-bd49-dee97a8cba55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c7c575a-d4c5-4f6f-bd49-dee97a8cba55\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1344 - Authenticator Feedback\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1344\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c895fe7-2d8e-43a2-838c-3a533a5b355e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c895fe7-2d8e-43a2-838c-3a533a5b355e\"},{\"properties\":{\"displayName\":\"SSH + access from the Internet should be blocked\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits any network security rule that allows SSH access from Internet\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\"},{\"allOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\",\"equals\":\"Allow\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\"equals\":\"Inbound\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"22\"},{\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), + contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), + contains(range(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), + '-'))), sub(add(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), + '-'))),1), int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), + '-'))))),22), 'false')]\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), + contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), + contains(range(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), + '-'))), sub(add(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), + '-'))),1), int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), + '-'))))),22), 'false')]\",\"equals\":\"true\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"22\"}}]},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"Internet\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c89a2e5-7285-40fe-afe0-ae8654b92fab\"},{\"properties\":{\"displayName\":\"Unattached + disks should be encrypted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any unattached disk without encryption enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/disks\"},{\"field\":\"Microsoft.Compute/disks/diskState\",\"equals\":\"Unattached\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/disks/encryptionSettingsCollection.enabled\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/disks/encryptionSettingsCollection.enabled\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2c89a2e5-7285-40fe-afe0-ae8654b92fb2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1593 - External Information System Services | Processing, + Storage, And Service Location\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1593\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2cd0a426-b5f5-4fe0-9539-a6043cdbc6fa\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1546 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1546\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ce1ea7e-4038-4e53-82f4-63e8859333c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ce1ea7e-4038-4e53-82f4-63e8859333c1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1414 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1414\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ce63a52-e47b-4ae2-adbb-6e40d967f9e6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ce63a52-e47b-4ae2-adbb-6e40d967f9e6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1679 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1679\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2cf42a28-193e-41c5-98df-7688e7ef0a88\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2cf42a28-193e-41c5-98df-7688e7ef0a88\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1068 - Wireless Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1068\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d045bca-a0fd-452e-9f41-4ec33769717c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d045bca-a0fd-452e-9f41-4ec33769717c\"},{\"properties\":{\"displayName\":\"App + Service should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any App Service not configured to use a virtual network service + endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/virtualNetworkConnections\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/virtualnetworkconnections/vnetResourceId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d21331d-a4c2-4def-a9ad-ee4e1e023beb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1704 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1704\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d44b6fa-1134-4ea6-ad4e-9edb68f65429\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d44b6fa-1134-4ea6-ad4e-9edb68f65429\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that do not store passwords using reversible + encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that do not store passwords using reversible + encryption. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"StorePasswordsUsingReversibleEncryption\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d60d3b7-aa10-454c-88a8-de39d99d17c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d60d3b7-aa10-454c-88a8-de39d99d17c6\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Linux VMs that allow remote connections from accounts + without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Linux virtual machines that allow remote connections from accounts + without passwords. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid110\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2d67222d-05fd-4526-a171-2ee132ad9e83\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2d67222d-05fd-4526-a171-2ee132ad9e83\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1077 - Use Of External Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1077\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2dad3668-797a-412e-a798-07d3849a7a79\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2dad3668-797a-412e-a798-07d3849a7a79\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1149 - Security Assessments | Specialized Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1149\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2e1b855b-a013-481a-aeeb-2bcb129fd35d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2e1b855b-a013-481a-aeeb-2bcb129fd35d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1497 - System Security Plan | Plan / Coordinate With Other + Organizational Entities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1497\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2e3c5583-1729-4d36-8771-59c32f090a22\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2e3c5583-1729-4d36-8771-59c32f090a22\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1000 - Access Control Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1000\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2ef3cc79-733e-48ed-ab6f-7bf439e9b406\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2ef3cc79-733e-48ed-ab6f-7bf439e9b406\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1519 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1519\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2f13915a-324c-4ab8-b45c-2eefeeefb098\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2f13915a-324c-4ab8-b45c-2eefeeefb098\"},{\"properties\":{\"displayName\":\"[Preview]: + Network traffic data collection agent should be installed on Windows virtual + machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Security + Center uses the Microsoft Monitoring Dependency Agent to collect network traffic + data from your Azure virtual machines to enable advanced network protection + features such as traffic visualization on the network map, network hardening + recommendations and specific network threats.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":\"true\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable Dependency Agent for Windows + VMs monitoring\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2f2ee1de-44aa-4762-b6bd-0893fc3f306d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2f2ee1de-44aa-4762-b6bd-0893fc3f306d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1144 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1144\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fa15ff1-a693-4ee4-b094-324818dc9a51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fa15ff1-a693-4ee4-b094-324818dc9a51\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1090 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1090\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fb740e5-cbc7-4d10-8686-d1bf826652b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fb740e5-cbc7-4d10-8686-d1bf826652b1\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Web Application should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + of HTTPS ensures server/service authentication and protects data in transit + from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForWebApplication\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fde8a98-6892-426a-83ba-050e640c0ce0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fde8a98-6892-426a-83ba-050e640c0ce0\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Network Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Network Access'. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/30040dab-4e75-4456-8273-14b8f75d91d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"30040dab-4e75-4456-8273-14b8f75d91d9\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs that are not joined to the specified domain\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that are not joined to the specified domain. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"DomainName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Domain + Name (FQDN)\",\"description\":\"The fully qualified domain name (FQDN) that + the Windows VMs should be joined to\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDomainMembership\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[DomainMembership]WindowsDomainMembership;DomainName', + '=', parameters('DomainName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDomainMembership\"},\"DomainName\":{\"value\":\"[parameters('DomainName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"DomainName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[DomainMembership]WindowsDomainMembership;DomainName\",\"value\":\"[parameters('DomainName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[DomainMembership]WindowsDomainMembership;DomainName\",\"value\":\"[parameters('DomainName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/315c850a-272d-4502-8935-b79010405970\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"315c850a-272d-4502-8935-b79010405970\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1042 - Least Privilege | Auditing Use Of Privileged Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1042\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/319dc4f0-0fed-4ac9-8fc3-7aeddee82c07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"319dc4f0-0fed-4ac9-8fc3-7aeddee82c07\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1698 - Information System Monitoring | Individuals Posing + Greater Risk\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1698\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/31b752c1-05a9-432a-8fce-c39b56550119\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"31b752c1-05a9-432a-8fce-c39b56550119\"},{\"properties\":{\"displayName\":\"[Preview]: + Audit Log Analytics Agent Deployment - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + VMs as non-compliant if the VM Image (OS) is not in the list defined and the + agent is not installed. The list of OS images will be updated over time as + support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"anyOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32133ab0-ee4b-4b44-98d6-042180979d50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32133ab0-ee4b-4b44-98d6-042180979d50\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1587 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1587\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32820956-9c6d-4376-934c-05cd8525be7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32820956-9c6d-4376-934c-05cd8525be7c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1333 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1333\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3298d6bf-4bc6-4278-a95d-f7ef3ac6e594\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3298d6bf-4bc6-4278-a95d-f7ef3ac6e594\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs on which the specified services are not + installed and 'Running'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + on which the specified services are not installed and 'Running'. It also creates + a system-assigned managed identity and deploys the VM extension for Guest + Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ServiceName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Service + names (supports wildcards)\",\"description\":\"A semicolon-separated list + of the names of the services that should be installed and 'Running'. e.g. + 'WinRm;Wi*'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsServiceStatus\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsServiceStatus]WindowsServiceStatus1;ServiceName', + '=', parameters('ServiceName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsServiceStatus\"},\"ServiceName\":{\"value\":\"[parameters('ServiceName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ServiceName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName\",\"value\":\"[parameters('ServiceName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsServiceStatus]WindowsServiceStatus1;ServiceName\",\"value\":\"[parameters('ServiceName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32b1e4d4-6cd5-47b4-a935-169da8a5c262\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32b1e4d4-6cd5-47b4-a935-169da8a5c262\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1445 - Physical And Environmental Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1445\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/32d07d59-2716-4972-b37b-214a67ac4a37\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"32d07d59-2716-4972-b37b-214a67ac4a37\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1282 - Telecommunications Services | Single Points Of Failure\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1282\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34042a97-ec6d-4263-93d2-8c1c46823b2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34042a97-ec6d-4263-93d2-8c1c46823b2a\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Linux VMs that have accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Linux virtual machines + that have accounts without passwords. It also creates a system-assigned managed + identity and deploys the VM extension for Guest Configuration. This policy + should only be used along with its corresponding audit policy in an initiative. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid232\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid232\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3470477a-b35a-49db-aca5-1073d04524fe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3470477a-b35a-49db-aca5-1073d04524fe\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1151 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1151\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/347e3b69-7fb7-47df-a8ef-71a1a7b44bca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"347e3b69-7fb7-47df-a8ef-71a1a7b44bca\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1412 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1412\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3492d949-0dbb-4589-88b3-7b59601cc764\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3492d949-0dbb-4589-88b3-7b59601cc764\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1475 - Emergency Lighting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1475\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34a63848-30cf-4081-937e-ce1a1c885501\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34a63848-30cf-4081-937e-ce1a1c885501\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1060 - Remote Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1060\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34a987fd-2003-45de-a120-014956581f2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34a987fd-2003-45de-a120-014956581f2b\"},{\"properties\":{\"displayName\":\"Audit + unrestricted network access to storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + unrestricted network access in your storage account firewall settings. Instead, + configure network rules so only applications from allowed networks can access + the storage account. To allow connections from specific internet or on-premise + clients, access can be granted to traffic from specific Azure virtual networks + or to public internet IP address ranges\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.defaultAction\",\"equals\":\"Allow\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34c877ad-507e-4c82-993e-3452a6e0ad3c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1341 - Authenticator Management | Multiple Information System + Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1341\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34cb7e92-fe4c-4826-b51e-8cd203fa5d35\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34cb7e92-fe4c-4826-b51e-8cd203fa5d35\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Logic Apps should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Logic + Apps\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"34f95f76-5386-4de7-b824-0d8478470c9d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1210 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1210\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3502c968-c490-4570-8167-1476f955e9b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3502c968-c490-4570-8167-1476f955e9b8\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that do not have a maximum password + age of 70 days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that do not have a maximum password age of 70 days. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MaximumPasswordAge\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MaximumPasswordAge\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/356a906e-05e5-4625-8729-90771e0ee934\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"356a906e-05e5-4625-8729-90771e0ee934\"},{\"properties\":{\"displayName\":\"CORS + should not allow every resource to access your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + Resource Sharing (CORS) should not allow all domains to access your API app. + Allow only required domains to interact with your API app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"358c20a6-3f9e-4f0e-97ff-c6ce485e2aac\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1659 - Architecture And Provisioning For Name / Address Resolution + Service\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1659\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/35a4102f-a778-4a2e-98c2-971056288df8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"35a4102f-a778-4a2e-98c2-971056288df8\"},{\"properties\":{\"displayName\":\"Gateway + subnets should not be configured with a network security group\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy denies if a gateway subnet is configured with a network security group. + Assigning a network security group to a gateway subnet will cause the gateway + to stop functioning.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks/subnets\"},{\"field\":\"name\",\"equals\":\"GatewaySubnet\"},{\"field\":\"Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id\",\"exists\":\"true\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"35f9c03a-cc27-418e-9c0c-539ff999d010\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1043 - Least Privilege | Prohibit Non-Privileged Users From + Executing Privileged Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1043\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/361a77f6-0f9c-4748-8eec-bc13aaaa2455\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"361a77f6-0f9c-4748-8eec-bc13aaaa2455\"},{\"properties\":{\"displayName\":\"Deploy + Advanced Threat Protection on Storage Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy enables Advanced Threat Protection on Storage Accounts.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/advancedThreatProtectionSettings\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Security/advancedThreatProtectionSettings/isEnabled\",\"equals\":\"true\"},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"storageAccountName\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2019-01-01\",\"type\":\"Microsoft.Storage/storageAccounts/providers/advancedThreatProtectionSettings\",\"name\":\"[concat(parameters('storageAccountName'), + '/Microsoft.Security/current')]\",\"properties\":{\"isEnabled\":true}}]},\"parameters\":{\"storageAccountName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"361c2074-3595-4e5d-8cab-4f21dffc835c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1313 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1313\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36220f5b-79a1-4cdb-8c74-2d2449f9a510\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36220f5b-79a1-4cdb-8c74-2d2449f9a510\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1630 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1630\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3643717a-3897-4bfd-8530-c7c96b26b2a0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3643717a-3897-4bfd-8530-c7c96b26b2a0\"},{\"properties\":{\"displayName\":\"Automation + account variables should be encrypted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + is important to enable encryption of Automation account variable assets when + storing sensitive data\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Automation\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Automation/automationAccounts/variables\"},{\"field\":\"Microsoft.Automation/automationAccounts/variables/isEncrypted\",\"notEquals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3657f5a0-770e-44a3-b44e-9431ba1e9735\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1339 - Authenticator Management | Protection Of Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1339\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/367ae386-db7f-4167-b672-984ff86277c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"367ae386-db7f-4167-b672-984ff86277c0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1685 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1685\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36b0ef30-366f-4b1b-8652-a3511df11f53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36b0ef30-366f-4b1b-8652-a3511df11f53\"},{\"properties\":{\"displayName\":\"Deploy + Threat Detection on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy ensures that Threat Detection is enabled on SQL Servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/securityAlertPolicies.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"name\":\"[concat(parameters('serverName'), + '/Default')]\",\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"emailAccountAdmins\":true}}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36d49e87-48c4-4f2e-beed-ba4ed02b71f5\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Network Security'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Network Security'. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Network Security: Configure encryption types allowed for Kerberos\",\"description\":\"Specifies + the encryption types that Kerberos is allowed to use.\"},\"defaultValue\":\"2147483644\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Network security: LAN Manager authentication level\",\"description\":\"Specify + which challenge-response authentication protocol is used for network logons. + This choice affects the level of authentication protocol used by clients, + the level of session security negotiated, and the level of authentication + accepted by servers.\"},\"defaultValue\":\"5\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Network security: LDAP client signing requirements\",\"description\":\"Specify + the level of data signing that is requested on behalf of clients that issue + LDAP BIND requests.\"},\"defaultValue\":\"1\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) clients\",\"description\":\"Specifies which behaviors are allowed by + clients for applications using the NTLM Security Support Provider (SSP). The + SSP Interface (SSPI) is used by applications that need authentication services. + See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers + for more information.\"},\"defaultValue\":\"537395200\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Network security: Minimum session security for NTLM SSP based (including secure + RPC) servers\",\"description\":\"Specifies which behaviors are allowed by + servers for applications using the NTLM Security Support Provider (SSP). The + SSP Interface (SSPI) is used by applications that need authentication services.\"},\"defaultValue\":\"537395200\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkSecurity\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue', + '=', parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos'), + ',', 'Network security: LAN Manager authentication level;ExpectedValue', '=', + parameters('NetworkSecurityLANManagerAuthenticationLevel'), ',', 'Network + security: LDAP client signing requirements;ExpectedValue', '=', parameters('NetworkSecurityLDAPClientSigningRequirements'), + ',', 'Network security: Minimum session security for NTLM SSP based (including + secure RPC) clients;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients'), + ',', 'Network security: Minimum session security for NTLM SSP based (including + secure RPC) servers;ExpectedValue', '=', parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsNetworkSecurity\"},\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NetworkSecurityConfigureEncryptionTypesAllowedForKerberos\":{\"type\":\"string\"},\"NetworkSecurityLANManagerAuthenticationLevel\":{\"type\":\"string\"},\"NetworkSecurityLDAPClientSigningRequirements\":{\"type\":\"string\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients\":{\"type\":\"string\"},\"NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},{\"name\":\"Network + security: LAN Manager authentication level;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},{\"name\":\"Network + security: LDAP client signing requirements;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},{\"name\":\"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},{\"name\":\"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network + Security: Configure encryption types allowed for Kerberos;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityConfigureEncryptionTypesAllowedForKerberos')]\"},{\"name\":\"Network + security: LAN Manager authentication level;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLANManagerAuthenticationLevel')]\"},{\"name\":\"Network + security: LDAP client signing requirements;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityLDAPClientSigningRequirements')]\"},{\"name\":\"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + clients;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCClients')]\"},{\"name\":\"Network + security: Minimum session security for NTLM SSP based (including secure RPC) + servers;ExpectedValue\",\"value\":\"[parameters('NetworkSecurityMinimumSessionSecurityForNTLMSSPBasedIncludingSecureRPCServers')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36e17963-7202-494a-80c3-f508211c826b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36e17963-7202-494a-80c3-f508211c826b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1557 - Vulnerability Scanning | Review Historic Audit Logs\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1557\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/36fbe499-f2f2-41b6-880e-52d7ea1d94a5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"36fbe499-f2f2-41b6-880e-52d7ea1d94a5\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Interactive Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Interactive Logon'. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsInteractiveLogon\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsInteractiveLogon\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3750712b-43d0-478e-9966-d2c26f6141b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3750712b-43d0-478e-9966-d2c26f6141b9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1624 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1624\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/37d079e3-d6aa-4263-a069-dd7ac6dd9684\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"37d079e3-d6aa-4263-a069-dd7ac6dd9684\"},{\"properties\":{\"displayName\":\"Storage + accounts should be migrated to new Azure Resource Manager resources\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + new Azure Resource Manager for your storage accounts to provide security enhancements + such as: stronger access control (RBAC), better auditing, Azure Resource Manager + based deployment and governance, access to managed identities, access to key + vault for secrets, Azure AD-based authentication and support for tags and + resource groups for easier security management\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.ClassicStorage/storageAccounts\",\"Microsoft.Storage/StorageAccounts\"]},{\"value\":\"[field('type')]\",\"equals\":\"Microsoft.ClassicStorage/storageAccounts\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"37e0d2fe-28a5-43d6-a273-67d37d1f5606\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1335 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1335\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/382016f3-d4ba-4e15-9716-55077ec4dc2a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"382016f3-d4ba-4e15-9716-55077ec4dc2a\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in IoT Hub should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Internet + of Things\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Devices/IotHubs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"383856f8-de7f-44a2-81fc-e5135b5c2aa4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1081 - Information Sharing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1081\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3867f2a9-23bb-4729-851f-c3ad98580caf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3867f2a9-23bb-4729-851f-c3ad98580caf\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1522 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1522\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/38b470cc-f939-4a15-80e0-9f0c74f2e2c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"38b470cc-f939-4a15-80e0-9f0c74f2e2c9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1416 - Nonlocal Maintenance | Document Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1416\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/38dfd8a3-5290-4099-88b7-4081f4c4d8ae\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"38dfd8a3-5290-4099-88b7-4081f4c4d8ae\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1397 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1397\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/391af4ab-1117-46b9-b2c7-78bbd5cd995b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"391af4ab-1117-46b9-b2c7-78bbd5cd995b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1556 - Vulnerability Scanning | Automated Trend Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1556\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/391ff8b3-afed-405e-9f7d-ef2f8168d5da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"391ff8b3-afed-405e-9f7d-ef2f8168d5da\"},{\"properties\":{\"displayName\":\"Advanced + data security settings for SQL managed instance should contain an email address + to receive security alerts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure + that an email address is provided for the 'Send alerts to' field in the Advanced + Data Security server settings. This email address receives alert notifications + when anomalous activities are detected on SQL managed instances.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAddresses[*]\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3965c43d-b5f4-482e-b74a-d89ee0e0b3a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3965c43d-b5f4-482e-b74a-d89ee0e0b3a8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1232 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1232\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/396ba986-eac1-4d6d-85c4-d3fda6b78272\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"396ba986-eac1-4d6d-85c4-d3fda6b78272\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1246 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1246\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/398eb61e-8111-40d5-a0c9-003df28f1753\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"398eb61e-8111-40d5-a0c9-003df28f1753\"},{\"properties\":{\"displayName\":\"FTPS + only should be required in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable + FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"399b2637-a50f-4f95-96f8-3a145476eb15\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1680 - Malicious Code Protection | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1680\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/399cd6ee-0e18-41db-9dea-cde3bd712f38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"399cd6ee-0e18-41db-9dea-cde3bd712f38\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1228 - Information System Component Inventory | Accountability + Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1228\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/39c54140-5902-4079-8bb5-ad31936fe764\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"39c54140-5902-4079-8bb5-ad31936fe764\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1039 - Least Privilege | Review Of User Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1039\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3a7b9de4-a8a2-4672-914d-c5f6752aa7f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3a7b9de4-a8a2-4672-914d-c5f6752aa7f9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1648 - Collaborative Computing Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1648\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3a9eb14b-495a-4ebb-933c-ce4ef5264e32\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3a9eb14b-495a-4ebb-933c-ce4ef5264e32\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1315 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1315\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3aa87116-f1a1-4edb-bfbf-14e036f8d454\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3aa87116-f1a1-4edb-bfbf-14e036f8d454\"},{\"properties\":{\"displayName\":\"[Preview]: + Pod Security Policies should be defined on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Define + Pod Security Policies to reduce the attack vector by removing unnecessary + application privileges. It is recommended to configure Pod Security Policies + to only allow pods to access the resources which they have permissions to + access.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security + Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy\",\"exists\":\"false\"},{\"field\":\"Microsoft.ContainerService/managedClusters/enablePodSecurityPolicy\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3abeb944-26af-43ee-b83d-32aaf060fb94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3abeb944-26af-43ee-b83d-32aaf060fb94\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1548 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1548\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3afe6c78-6124-4d95-b85c-eb8c0c9539cb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3afe6c78-6124-4d95-b85c-eb8c0c9539cb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1266 - Contingency Plan Testing | Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1266\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b4a3eb2-c25d-40bf-ad41-5094b6f59cee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b4a3eb2-c25d-40bf-ad41-5094b6f59cee\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1003 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1003\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b68b179-3704-4ff7-b51d-7d65374d165d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b68b179-3704-4ff7-b51d-7d65374d165d\"},{\"properties\":{\"displayName\":\"An + activity log alert should exist for specific Security operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits specific Security operations with no activity log alerts configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation + Name\",\"description\":\"Security Operation name for which activity log alert + should exist\"},\"allowedValues\":[\"Microsoft.Security/policies/write\",\"Microsoft.Security/securitySolutions/write\",\"Microsoft.Security/securitySolutions/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Security\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3b980d31-7904-4bb7-8575-5665739a8052\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3b980d31-7904-4bb7-8575-5665739a8052\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Dependency Agent for Windows VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Dependency Agent for Windows VM Scale Sets if the VM Image (OS) is in the + list defined and the agent is not installed. The list of OS images will be + updated over time as support is updated. Note: if your scale set upgradePolicy + is set to Manual, you need to apply the extension to the all VMs in the set + by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"DependencyAgentWindows\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentWindows\",\"vmExtensionTypeHandlerVersion\":\"9.7\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"name\":\"[concat(parameters('vmName'), + '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3be22e3b-d919-47aa-805e-8985dbeb0ad9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3be22e3b-d919-47aa-805e-8985dbeb0ad9\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Log Analytics Agent for Windows VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Log Analytics Agent for Windows VM Scale Sets if the VM Image (OS) is in the + list defined and the agent is not installed. The list of OS images will be + updated over time as support is updated. Note: if your scale set upgradePolicy + is set to Manual, you need to apply the extension to the all VMs in the set + by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Log Analytics workspace\",\"description\":\"Select Log Analytics workspace + from dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"MicrosoftMonitoringAgent\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"MicrosoftMonitoringAgent\",\"vmExtensionTypeHandlerVersion\":\"1.0\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), + '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), + '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), + '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3c1b3629-c8f8-4bf6-862c-037cb9094038\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3c1b3629-c8f8-4bf6-862c-037cb9094038\"},{\"properties\":{\"displayName\":\"Vulnerabilities + in security configuration on your virtual machine scale sets should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + the OS vulnerabilities on your virtual machine scale sets to protect them + from attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OsVulnerabilities\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1621 - Resource Availability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1621\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3cb9f731-744a-4691-a481-ca77b0411538\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3cb9f731-744a-4691-a481-ca77b0411538\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1521 - Personnel Termination | Automated Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1521\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3cbddf9c-a3aa-4330-a0f5-4c0c1f1862e5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1127 - Time Stamps\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1127\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3ce328db-aef3-48ed-9f81-2ab7cf839c66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3ce328db-aef3-48ed-9f81-2ab7cf839c66\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Search Services to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Search Services to stream to a regional Event + Hub when any Search Services which is missing this diagnostic settings is + created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Search/searchServices/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d5da587-71bd-41f5-ac95-dd3330c2d58d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d5da587-71bd-41f5-ac95-dd3330c2d58d\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Devices'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Devices'. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsDevices\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d7b154e-2700-4c8c-9e46-cb65ac1578c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d7b154e-2700-4c8c-9e46-cb65ac1578c2\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Deploy default Log Analytics Agent for Ubuntu VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy deploys the Log Analytics Agent on Ubuntu VMs, and connects to the + selected Log Analytics workspace\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Compute\",\"deprecated\":true},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Log Analytics workspace\",\"description\":\"Select Log Analytics workspace + from dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\",\"16.04-LTS\",\"16.04.0-LTS\",\"14.04.2-LTS\",\"12.04.5-LTS\"]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"resources\":[{\"name\":\"[concat(parameters('vmName'),'/omsPolicy')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2017-12-01\",\"properties\":{\"publisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"type\":\"OmsAgentForLinux\",\"typeHandlerVersion\":\"1.4\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), + '2015-03-20').customerId]\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), + '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + monitoring for Linux VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3d8640fc-63f6-4734-8dcb-cfd3d8c78f38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3d8640fc-63f6-4734-8dcb-cfd3d8c78f38\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1385 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1385\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e495e65-8663-49ca-9b38-9f45e800bc58\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e495e65-8663-49ca-9b38-9f45e800bc58\"},{\"properties\":{\"displayName\":\"Azure + Monitor solution 'Security and Audit' must be deployed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy ensures that Security and Audit is deployed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.OperationsManagement/solutions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.OperationsManagement/solutions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"name\",\"like\":\"Security(*)\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e596b57-105f-48a6-be97-03e9243bad6e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e596b57-105f-48a6-be97-03e9243bad6e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1160 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1160\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3e797ca6-2aa8-4333-b335-7036f1110c05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3e797ca6-2aa8-4333-b335-7036f1110c05\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1545 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1545\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3f4b171a-a56b-4328-8112-32cf7f947ee1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3f4b171a-a56b-4328-8112-32cf7f947ee1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1179 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1179\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3f9ce557-c8ab-4e6c-bb2c-9b8ed002c46c\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit API Applications that are not using latest supported PHP Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported PHP version for the latest security classes. Using older + classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPHP\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3fe37002-5d00-4b37-a301-da09e3a0ca66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3fe37002-5d00-4b37-a301-da09e3a0ca66\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1561 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1561\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40364c3f-c331-4e29-b1e3-2fbe998ba2f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40364c3f-c331-4e29-b1e3-2fbe998ba2f5\"},{\"properties\":{\"displayName\":\"Secure + transfer to storage accounts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + requirment of Secure transfer in your storage account. Secure transfer is + an option that forces your storage account to accept requests only from secure + connections (HTTPS). Use of HTTPS ensures authentication between the server + and the service and protects data in transit from network layer attacks such + as man-in-the-middle, eavesdropping, and session-hijacking\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly\",\"equals\":\"True\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"404c3081-a854-4457-ae30-26a93ef643f9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1100 - Audit And Accountability Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1100\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4057863c-ca7d-47eb-b1e0-503580cba8a4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4057863c-ca7d-47eb-b1e0-503580cba8a4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1637 - Boundary Protection | Fail Secure\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1637\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4075bedc-c62a-4635-bede-a01be89807f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4075bedc-c62a-4635-bede-a01be89807f3\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Administrative + Templates - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Administrative Templates + - System'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AlwaysUseClassicLogon\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Always use classic logon\",\"description\":\"Specifies whether to force the + user to log on to the computer using the classic logon screen. This setting + only works when the computer is not on a domain.\"},\"defaultValue\":\"0\"},\"BootStartDriverInitializationPolicy\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Boot-Start Driver Initialization Policy\",\"description\":\"Specifies which + boot-start drivers are initialized based on a classification determined by + an Early Launch Antimalware boot-start driver.\"},\"defaultValue\":\"3\"},\"EnableWindowsNTPClient\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Enable Windows NTP Client\",\"description\":\"Specifies whether the Windows + NTP Client is enabled. Enabling the Windows NTP Client allows your computer + to synchronize its computer clock with other NTP servers.\"},\"defaultValue\":\"1\"},\"TurnOnConveniencePINSignin\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Turn on convenience PIN sign-in\",\"description\":\"Specifies whether a domain + user can sign in using a convenience PIN.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Always + use classic logon;ExpectedValue', '=', parameters('AlwaysUseClassicLogon'), + ',', 'Boot-Start Driver Initialization Policy;ExpectedValue', '=', parameters('BootStartDriverInitializationPolicy'), + ',', 'Enable Windows NTP Client;ExpectedValue', '=', parameters('EnableWindowsNTPClient'), + ',', 'Turn on convenience PIN sign-in;ExpectedValue', '=', parameters('TurnOnConveniencePINSignin')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesSystem\"},\"AlwaysUseClassicLogon\":{\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},\"BootStartDriverInitializationPolicy\":{\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},\"EnableWindowsNTPClient\":{\"value\":\"[parameters('EnableWindowsNTPClient')]\"},\"TurnOnConveniencePINSignin\":{\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AlwaysUseClassicLogon\":{\"type\":\"string\"},\"BootStartDriverInitializationPolicy\":{\"type\":\"string\"},\"EnableWindowsNTPClient\":{\"type\":\"string\"},\"TurnOnConveniencePINSignin\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Always + use classic logon;ExpectedValue\",\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},{\"name\":\"Boot-Start + Driver Initialization Policy;ExpectedValue\",\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},{\"name\":\"Enable + Windows NTP Client;ExpectedValue\",\"value\":\"[parameters('EnableWindowsNTPClient')]\"},{\"name\":\"Turn + on convenience PIN sign-in;ExpectedValue\",\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Always + use classic logon;ExpectedValue\",\"value\":\"[parameters('AlwaysUseClassicLogon')]\"},{\"name\":\"Boot-Start + Driver Initialization Policy;ExpectedValue\",\"value\":\"[parameters('BootStartDriverInitializationPolicy')]\"},{\"name\":\"Enable + Windows NTP Client;ExpectedValue\",\"value\":\"[parameters('EnableWindowsNTPClient')]\"},{\"name\":\"Turn + on convenience PIN sign-in;ExpectedValue\",\"value\":\"[parameters('TurnOnConveniencePINSignin')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40917425-69db-4018-8dae-2a0556cef899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40917425-69db-4018-8dae-2a0556cef899\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1202 - Access Restrictions For Change\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1202\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40a2a83b-74f2-4c02-ae65-f460a5d2792a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40a2a83b-74f2-4c02-ae65-f460a5d2792a\"},{\"properties\":{\"displayName\":\"Inherit + a tag from the subscription if missing\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + the specified tag with its value from the containing subscription when any + resource missing this tag is created or updated. Existing resources can be + remediated by triggering a remediation task. If the tag exists with a different + value it will not be changed.\",\"metadata\":{\"category\":\"Tags\",\"version\":\"1.0.0\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"},{\"value\":\"[subscription().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[subscription().tags[parameters('tagName')]]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40df99da-1232-49b1-a39a-6da8d878f469\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40df99da-1232-49b1-a39a-6da8d878f469\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1438 - Media Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1438\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/40fcc635-52a2-4dbc-9523-80a1f4aa1de6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"40fcc635-52a2-4dbc-9523-80a1f4aa1de6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1365 - Incident Handling | Continuity Of Operations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1365\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4116891d-72f7-46ee-911c-8056cc8dcbd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4116891d-72f7-46ee-911c-8056cc8dcbd5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1022 - Account Management | Shared / Group Account Credential + Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1022\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/411f7e2d-9a0b-4627-a0b9-1700432db47d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"411f7e2d-9a0b-4627-a0b9-1700432db47d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1464 - Monitoring Physical Access | Intrusion Alarms / Surveillance + Equipment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1464\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41256567-1795-4684-b00b-a1308ce43cac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41256567-1795-4684-b00b-a1308ce43cac\"},{\"properties\":{\"displayName\":\"Azure + Monitor should collect activity logs from all regions\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits the Azure Monitor log profile which does not export activities + from all Azure supported regions including global.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiacentral2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiaeast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"australiasoutheast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"brazilsouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"canadacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"canadaeast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"centralindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"centralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastasia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"eastus2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"francecentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"francesouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"japaneast\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"japanwest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"koreacentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"koreasouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"northcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"northeurope\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southafricanorth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southafricawest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"southeastasia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uaecentral\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uaenorth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"uksouth\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"ukwest\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westcentralus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westeurope\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westindia\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westus\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"westus2\"}},{\"not\":{\"field\":\"Microsoft.Insights/logProfiles/locations[*]\",\"notEquals\":\"global\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41388f1c-2db0-4c25-95b2-35d7f5ccbfa9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1263 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1263\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/41472613-3b05-49f6-8fe8-525af113ce17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"41472613-3b05-49f6-8fe8-525af113ce17\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1096 - Role-Based Security Training | Practical Exercises\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1096\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/420c1477-aa43-49d0-bd7e-c4abdd9addff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"420c1477-aa43-49d0-bd7e-c4abdd9addff\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1260 - Contingency Training | Simulated Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1260\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42254fc4-2738-4128-9613-72aaa4f0d9c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42254fc4-2738-4128-9613-72aaa4f0d9c3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1694 - Information System Monitoring | Analyze Communications + Traffic Anomalies\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1694\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/426c4ac9-ff17-49d0-acd7-a13c157081c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"426c4ac9-ff17-49d0-acd7-a13c157081c0\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Batch accounts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Batch\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"428256e6-1fac-4f48-a757-df34c2b3336d\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'System Audit + Policies - Detailed Tracking'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'System Audit Policies + - Detailed Tracking'. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditProcessTermination\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit Process Termination\",\"description\":\"Specifies whether audit events + are generated when a process has exited. Recommended for monitoring termination + of critical processes.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success + and Failure\"],\"defaultValue\":\"No Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit + Process Termination;ExpectedValue', '=', parameters('AuditProcessTermination')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\"},\"AuditProcessTermination\":{\"value\":\"[parameters('AuditProcessTermination')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditProcessTermination\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Process Termination;ExpectedValue\",\"value\":\"[parameters('AuditProcessTermination')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Process Termination;ExpectedValue\",\"value\":\"[parameters('AuditProcessTermination')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42a07bbf-ffcf-459a-b4b1-30ecd118a505\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42a07bbf-ffcf-459a-b4b1-30ecd118a505\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1174 - Configuration Management Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1174\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/42a9a714-8fbb-43ac-b115-ea12d2bd652f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"42a9a714-8fbb-43ac-b115-ea12d2bd652f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1137 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1137\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4344df62-88ab-4637-b97b-bcaf2ec97e7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4344df62-88ab-4637-b97b-bcaf2ec97e7c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1367 - Incident Handling | Insider Threats - Specific Capabilities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1367\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/435b2547-6374-4f87-b42d-6e8dbe6ae62a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"435b2547-6374-4f87-b42d-6e8dbe6ae62a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1552 - Vulnerability Scanning | Update By Frequency / Prior + To New Scan / When Identified\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1552\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/43684572-e4f1-4642-af35-6b933bc506da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"43684572-e4f1-4642-af35-6b933bc506da\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - System settings'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + System settings'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + System settings: Use Certificate Rules on Windows Executables for Software + Restriction Policies\",\"description\":\"Specifies whether digital certificates + are processed when software restriction policies are enabled and a user or + process attempts to run software with an .exe file name extension. It enables + or disables certificate rules (a type of software restriction policies rule). + For certificate rules to take effect in software restriction policies, you + must enable this policy setting.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemsettings\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('System + settings: Use Certificate Rules on Windows Executables for Software Restriction + Policies;ExpectedValue', '=', parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsSystemsettings\"},\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"System + settings: Use Certificate Rules on Windows Executables for Software Restriction + Policies;ExpectedValue\",\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"System + settings: Use Certificate Rules on Windows Executables for Software Restriction + Policies;ExpectedValue\",\"value\":\"[parameters('SystemSettingsUseCertificateRulesOnWindowsExecutablesForSoftwareRestrictionPolicies')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/437a1f8f-8552-47a8-8b12-a2fee3269dd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"437a1f8f-8552-47a8-8b12-a2fee3269dd5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1544 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1544\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/43ced7c9-cd53-456b-b0da-2522649a4271\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"43ced7c9-cd53-456b-b0da-2522649a4271\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1398 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1398\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/443e8f3d-b51a-45d8-95a7-18b0e42f4dc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"443e8f3d-b51a-45d8-95a7-18b0e42f4dc4\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Monitor permissive network access in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Network + Security Groups with too permissive rules will be monitored by Azure Security + Center as recommendations\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"permissiveNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44452482-524f-4bf4-b852-0bff7cc4a3ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44452482-524f-4bf4-b852-0bff7cc4a3ed\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1066 - Remote Access | Disconnect / Disable Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1066\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4455c2e8-c65d-4acf-895e-304916f90b36\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4455c2e8-c65d-4acf-895e-304916f90b36\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1720 - Spam Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1720\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44b9a7cd-f36a-491a-a48b-6d04ae7c4221\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44b9a7cd-f36a-491a-a48b-6d04ae7c4221\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1334 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1334\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44bfdadc-8c2e-4c30-9c99-f005986fabcd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44bfdadc-8c2e-4c30-9c99-f005986fabcd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1604 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1604\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44dbba23-0b61-478e-89c7-b3084667782f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44dbba23-0b61-478e-89c7-b3084667782f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1712 - Software, Firmware, And Information Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1712\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/44e543aa-41db-42aa-98eb-8a5eb1db53f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"44e543aa-41db-42aa-98eb-8a5eb1db53f0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1310 - Device Identification And Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1310\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/450d7ede-823d-4931-a99d-57f6a38807dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"450d7ede-823d-4931-a99d-57f6a38807dc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1559 - System And Services Acquisition Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1559\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45692294-f074-42bd-ac54-16f1a3c07554\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45692294-f074-42bd-ac54-16f1a3c07554\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1578 - Acquisition Process | Functions / Ports / Protocols + / Services In Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1578\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45b7b644-5f91-498e-9d89-7402532d3645\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45b7b644-5f91-498e-9d89-7402532d3645\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1565 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1565\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/45ce2396-5c76-4654-9737-f8792ab3d26b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"45ce2396-5c76-4654-9737-f8792ab3d26b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1337 - Authenticator Management | In-Person Or Trusted Third-Party + Registration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1337\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/463e5220-3f79-4e24-a63f-343e4096cd22\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"463e5220-3f79-4e24-a63f-343e4096cd22\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Require SQL Server version 12.0\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy ensures all SQL servers use version 12.0. This policy is deprecated + because it is no longer possible to create an Azure SQL server with any version + other than 12.0.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"SQL\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},{\"not\":{\"field\":\"Microsoft.Sql/servers/version\",\"equals\":\"12.0\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"464dbb85-3d5f-4a1d-bb09-95a9b5dd19cf\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1346 - Identification And Authentication (Non-Organizational + Users)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1346\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/464dc8ce-2200-4720-87a5-dc5952924cc6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"464dc8ce-2200-4720-87a5-dc5952924cc6\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Applications that are not using latest supported Python Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported Python version for the latest security classes. Using + older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPython\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/46544d7b-1f0d-46f5-81da-5c1351de1b06\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"46544d7b-1f0d-46f5-81da-5c1351de1b06\"},{\"properties\":{\"displayName\":\"Require + automatic OS image patching on Virtual Machine Scale Sets\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy enforces enabling automatic OS image patching on Virtual Machine Scale + Sets to always keep Virtual Machines secure by safely applying latest security + patches every month.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgradePolicy.enableAutomaticOSUpgrade\",\"notEquals\":\"True\"},{\"field\":\"Microsoft.Compute/VirtualMachineScaleSets/upgradePolicy.automaticOSUpgrade\",\"notEquals\":\"True\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/465f0161-0087-490a-9ad9-ad6217f4f43a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"465f0161-0087-490a-9ad9-ad6217f4f43a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1368 - Incident Handling | Correlation With External Organizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1368\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/465f32da-0ace-4603-8d1b-7be5a3a702de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"465f32da-0ace-4603-8d1b-7be5a3a702de\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1062 - Remote Access | Protection Of Confidentiality / Integrity + Using Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1062\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4708723f-e099-4af1-bbf9-b6df7642e444\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4708723f-e099-4af1-bbf9-b6df7642e444\"},{\"properties\":{\"displayName\":\"Automatic + provisioning of the Log Analytics monitoring agent should be enabled on your + subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable + automatic provisioning of the Log Analytics monitoring agent in order to collect + security data\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/autoProvisioningSettings\",\"existenceCondition\":{\"field\":\"Microsoft.Security/autoProvisioningSettings/autoProvision\",\"equals\":\"On\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"475aae12-b88a-4572-8b36-9b712b2b3a17\"},{\"properties\":{\"displayName\":\"Adaptive + Application Controls should be enabled on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Possible + Application Whitelist configuration will be monitored by Azure Security Center\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"applicationWhitelisting\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47a6b606-51aa-4496-8bb7-64b11cf66adc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1359 - Incident Response Testing | Coordination With Related + Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1359\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47bc7ea0-7d13-4f7c-a154-b903f7194253\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47bc7ea0-7d13-4f7c-a154-b903f7194253\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1165 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1165\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/47e10916-6c9e-446b-b0bd-ff5fd439d79d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"47e10916-6c9e-446b-b0bd-ff5fd439d79d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1048 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1048\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/483e7ca9-82b3-45a2-be97-b93163a0deb7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"483e7ca9-82b3-45a2-be97-b93163a0deb7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1033 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1033\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48540f01-fc11-411a-b160-42807c68896e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48540f01-fc11-411a-b160-42807c68896e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1477 - Fire Protection | Detection Devices / Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1477\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4862a63c-6c74-4a9d-a221-89af3c374503\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4862a63c-6c74-4a9d-a221-89af3c374503\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1484 - Water Damage Protection | Automation Support\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1484\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/486b006a-3653-45e8-b41c-a052d3e05456\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"486b006a-3653-45e8-b41c-a052d3e05456\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit IP restrictions configuration for an API App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + Restrictions allow you to define a list of IP addresses that are allowed to + access your app. Use of IP Restrictions protects an API app from common attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48893b84-a2c8-4d9a-badf-835d5d1b7d53\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48893b84-a2c8-4d9a-badf-835d5d1b7d53\"},{\"properties\":{\"displayName\":\"Geo-redundant + backup should be enabled for Azure Database for PostgreSQL\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Azure Database for PostgreSQL with geo-redundant backup + not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48af4db5-9b8b-401c-8e74-076be876a430\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1669 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1669\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/48f2f62b-5743-4415-a143-288adc0e078d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"48f2f62b-5743-4415-a143-288adc0e078d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1376 - Incident Response Assistance | Coordination With External + Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1376\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/493a95f3-f2e3-47d0-af02-65e6d6decc2f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"493a95f3-f2e3-47d0-af02-65e6d6decc2f\"},{\"properties\":{\"displayName\":\"Ensure + that 'Java version' is the latest, if used as a part of the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for Java software either due to security flaws + or to include additional functionality. Using the latest Java version for + web apps is recommended in order to take advantage of security fixes, if any, + and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest + Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', + parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), + '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"496223c3-ad65-4ecd-878a-bae78737e9ed\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Audit'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Audit'. It also creates a system-assigned managed identity and deploys the + VM extension for Guest Configuration. This policy should only be used along + with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit: Shut down system immediately if unable to log security audits\",\"description\":\"Audits + if the system will shut down when unable to log Security events.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAudit\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit: + Shut down system immediately if unable to log security audits;ExpectedValue', + '=', parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsAudit\"},\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue\",\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit: + Shut down system immediately if unable to log security audits;ExpectedValue\",\"value\":\"[parameters('AuditShutDownSystemImmediatelyIfUnableToLogSecurityAudits')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/498b810c-59cd-4222-9338-352ba146ccf3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"498b810c-59cd-4222-9338-352ba146ccf3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1329 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1329\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/498f6234-3e20-4b6a-a880-cbd646d973bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"498f6234-3e20-4b6a-a880-cbd646d973bd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1638 - Boundary Protection | Dynamic Isolation / Segregation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1638\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49b99653-32cd-405d-a135-e7d60a9aae1f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49b99653-32cd-405d-a135-e7d60a9aae1f\"},{\"properties\":{\"displayName\":\"Append + tag and its default value to resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Appends + the specified tag and value when any resource group which is missing this + tag is created or updated. Does not modify the tags of resource groups created + before this policy was applied until those resource groups are changed. New + 'modify' effect policies are available that support remediation of tags on + existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49c88fc8-6fd1-46fd-a676-f12d1d3a4c71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49c88fc8-6fd1-46fd-a676-f12d1d3a4c71\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1294 - Information System Backup | Transfer To Alternate Storage + Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1294\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/49dbe627-2c1e-438c-979e-dd7a39bbf81d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"49dbe627-2c1e-438c-979e-dd7a39bbf81d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1218 - Least Functionality | Prevent Program Execution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1218\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4a1d0394-b9f5-493e-9e83-563fd0ac4df8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4a1d0394-b9f5-493e-9e83-563fd0ac4df8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1677 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1677\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4a248e1e-040f-43e5-bff2-afc3a57a3923\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4a248e1e-040f-43e5-bff2-afc3a57a3923\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1094 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1094\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4b1853e0-8973-446b-b567-09d901d31a09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4b1853e0-8973-446b-b567-09d901d31a09\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1114 - Response To Audit Processing Failures | Real-Time Alerts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1114\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c090801-59bc-4454-bb33-e0455133486a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c090801-59bc-4454-bb33-e0455133486a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1364 - Incident Handling | Dynamic Reconfiguration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1364\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c615c2a-dc83-4dda-8220-abce7b50c9bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c615c2a-dc83-4dda-8220-abce7b50c9bc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1661 - Session Authenticity | Invalidate Session Identifiers + At Logout\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1661\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4c643c9a-1be7-4016-a5e7-e4bada052920\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4c643c9a-1be7-4016-a5e7-e4bada052920\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1373 - Incident Reporting | Automated Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1373\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4cca950f-c3b7-492a-8e8f-ea39663c14f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4cca950f-c3b7-492a-8e8f-ea39663c14f9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1632 - Boundary Protection | Prevent Split Tunneling For Remote + Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1632\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ce9073a-77fa-48f0-96b1-87aa8e6091c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ce9073a-77fa-48f0-96b1-87aa8e6091c2\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Linux VMs that do not have the specified applications + installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Linux virtual machines + that do not have the specified applications installed. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application + names\",\"description\":\"A semicolon-separated list of the names of the applications + that should be installed. e.g. 'python; powershell'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent', + '=', concat('packages: [', replace(parameters('ApplicationName'), ';', ','), + ']')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"installed_application_linux\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: + [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]InstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: + [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d1c04de-2172-403f-901b-90608c35c721\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d1c04de-2172-403f-901b-90608c35c721\"},{\"properties\":{\"displayName\":\"FTPS + should be required in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable + FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1155 - System Interconnections | Restrictions On External + System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1155\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d33f9f1-12d0-46ad-9fbd-8f8046694977\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d33f9f1-12d0-46ad-9fbd-8f8046694977\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1156 - Plan Of Action And Milestones\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1156\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d52e864-9a3b-41ee-8f03-520815fe5378\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d52e864-9a3b-41ee-8f03-520815fe5378\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1312 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1312\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4d6a5968-9eef-4c18-8534-376790ab7274\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4d6a5968-9eef-4c18-8534-376790ab7274\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Dependency Agent for Linux VMs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Dependency Agent for Linux VMs if the VM Image (OS) is in the list defined + and the agent is not installed.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentLinux\",\"vmExtensionTypeHandlerVersion\":\"9.6\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"[concat(parameters('vmName'), + '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + extension for VM', ': ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4da21710-ce6f-4e06-8cdb-5cc4c93ffbee\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Data Lake Analytics to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Data Lake Analytics to stream to a regional Event + Hub when any Data Lake Analytics which is missing this diagnostic settings + is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4daddf25-4823-43d4-88eb-2419eb6dcc08\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4daddf25-4823-43d4-88eb-2419eb6dcc08\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1394 - System Maintenance Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1394\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4db56f68-3f50-45ab-88f3-ca46f5379a94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4db56f68-3f50-45ab-88f3-ca46f5379a94\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1702 - Information System Monitoring | Indicators Of Compromise\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1702\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4dfc0855-92c4-4641-b155-a55ddd962362\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4dfc0855-92c4-4641-b155-a55ddd962362\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1001 - Access Control Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1001\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e26f8c3-4bf3-4191-b8fc-d888805101b7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e26f8c3-4bf3-4191-b8fc-d888805101b7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1083 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1083\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e319cb6-2ca3-4a58-ad75-e67f484e50ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e319cb6-2ca3-4a58-ad75-e67f484e50ec\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1579 - Acquisition Process | Use Of Approved Piv Products\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1579\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e54c7ef-7457-430b-9a3e-ef8881d4a8e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e54c7ef-7457-430b-9a3e-ef8881d4a8e0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1247 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1247\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e666db5-b2ef-4b06-aac6-09bfce49151b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e666db5-b2ef-4b06-aac6-09bfce49151b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1196 - Configuration Change Control | Automated Document / + Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1196\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e7f4ea4-dd62-44f6-8886-ac6137cf52b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e7f4ea4-dd62-44f6-8886-ac6137cf52b0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1134 - Protection Of Audit Information | Access By Subset + Of Privileged Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1134\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e95f70e-181c-4422-9da2-43079710c789\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e95f70e-181c-4422-9da2-43079710c789\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1267 - Alternate Storage Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1267\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4e97ba1d-be5d-4953-8da4-0cccf28f4805\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4e97ba1d-be5d-4953-8da4-0cccf28f4805\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1192 - Configuration Change Control | Automated Document / + Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1192\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ebd97f7-b105-4f50-8daf-c51465991240\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ebd97f7-b105-4f50-8daf-c51465991240\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1139 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1139\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4ed62522-de00-4dda-9810-5205733d2f34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4ed62522-de00-4dda-9810-5205733d2f34\"},{\"properties\":{\"displayName\":\"A + maximum of 3 owners should be designated for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"It + is recommended to designate up to 3 subscription owners in order to reduce + the potential for breach by a compromised owner.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DesignateLessThanXOwners\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f11b553-d42e-4e3a-89be-32ca364cad4c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1442 - Media Sanitization | Nondestructive Techniques\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1442\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f26049b-2c5a-4841-9ff3-d48a26aae475\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f26049b-2c5a-4841-9ff3-d48a26aae475\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1182 - Baseline Configuration | Configure Systems, Components, + Or Devices For High-Risk Areas\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1182\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f34f554-da4b-4786-8d66-7915c90893da\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f34f554-da4b-4786-8d66-7915c90893da\"},{\"properties\":{\"displayName\":\"A + security contact email address should be provided for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enter + an email address to receive notifications when Azure Security Center detects + compromised resources\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/email\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7\"},{\"properties\":{\"displayName\":\"Add + a tag to resources\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + the specified tag and value when any resource missing this tag is created + or updated. Existing resources can be remediated by triggering a remediation + task. If the tag exists with a different value it will not be changed. Does + not modify tags on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"4f9dc7db-30c1-420c-b61a-e1d640128d26\"},{\"properties\":{\"displayName\":\"[Preview] + Vulnerability Assessment should be enabled on Virtual Machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Monitors + vulnerabilities detected by Azure Security Center Vulnerability Assessment + on Virtual Machines\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security + Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"serverVulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"NotApplicable\",\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"501541f7-f7e7-4cd6-868c-4190fdad3ac9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1485 - Delivery And Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1485\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50301354-95d0-4a11-8af5-8039ecf6d38b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50301354-95d0-4a11-8af5-8039ecf6d38b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1646 - Cryptographic Key Establishment And Management | Asymmetric + Keys\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1646\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/506814fa-b930-4b10-894e-a45b98c40e1a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"506814fa-b930-4b10-894e-a45b98c40e1a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1566 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1566\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50ad3724-e2ac-4716-afcc-d8eabd97adb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50ad3724-e2ac-4716-afcc-d8eabd97adb9\"},{\"properties\":{\"displayName\":\"A + custom IPsec/IKE policy must be applied to all Azure virtual network gateway + connections\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy ensures that all Azure virtual network gateway connections use a custom + Internet Protocol Security(Ipsec)/Internet Key Exchange(IKE) policy. Supported + algorithms and key strengths - https://aka.ms/AA62kb0\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"IPsecEncryption\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IPsec + Encryption\",\"description\":\"IPsec Encryption\"}},\"IPsecIntegrity\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IPsec + Integrity\",\"description\":\"IPsec Integrity\"}},\"IKEEncryption\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IKE + Encryption\",\"description\":\"IKE Encryption\"}},\"IKEIntegrity\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"IKE + Integrity\",\"description\":\"IKE Integrity\"}},\"DHGroup\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"DH + Group\",\"description\":\"DH Group\"}},\"PFSGroup\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"PFS + Group\",\"description\":\"PFS Group\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/connections\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ipsecEncryption\",\"notIn\":\"[parameters('IPsecEncryption')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ipsecIntegrity\",\"notIn\":\"[parameters('IPsecIntegrity')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ikeEncryption\",\"notIn\":\"[parameters('IKEEncryption')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].ikeIntegrity\",\"notIn\":\"[parameters('IKEIntegrity')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].dhGroup\",\"notIn\":\"[parameters('DHGroup')]\"},{\"field\":\"Microsoft.Network/connections/ipsecPolicies[*].pfsGroup\",\"notIn\":\"[parameters('PFSGroup')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50b83b09-03da-41c1-b656-c293c914862b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50b83b09-03da-41c1-b656-c293c914862b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1248 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1248\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/50fc602d-d8e0-444b-a039-ad138ee5deb0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"50fc602d-d8e0-444b-a039-ad138ee5deb0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1386 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1386\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5120193e-91fd-4f9d-bc6d-194f94734065\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5120193e-91fd-4f9d-bc6d-194f94734065\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1352 - Incident Response Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1352\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/518cb545-bfa8-43f8-a108-3b7d5037469a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"518cb545-bfa8-43f8-a108-3b7d5037469a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1642 - Network Disconnect\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1642\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53397227-5ee3-4b23-9e5e-c8a767ce6928\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53397227-5ee3-4b23-9e5e-c8a767ce6928\"},{\"properties\":{\"displayName\":\"Connection + throttling should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy helps audit any PostgreSQL databases in your environment without Connection + throttling enabled. This setting enables temporary connection throttling per + IP for too many invalid password login failures.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"connection_throttling\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5345bb39-67dc-4960-a1bf-427e16b9a0bd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1467 - Visitor Access Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1467\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5350cbf9-8bdd-4904-b22a-e88be84ca49d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5350cbf9-8bdd-4904-b22a-e88be84ca49d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1183 - Baseline Configuration | Configure Systems, Components, + Or Devices For High-Risk Areas\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1183\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5352e3e0-e63a-452e-9e5f-9c1d181cff9c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5352e3e0-e63a-452e-9e5f-9c1d181cff9c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1029 - Information Flow Enforcement | Security Policy Filters\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1029\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53ac8f8e-c2b5-4d44-8a2d-058e9ced9b69\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1270 - Alternate Storage Site | Recovery Time / Point Objectives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1270\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/53c76a39-2097-408a-b237-b279f7b4614d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"53c76a39-2097-408a-b237-b279f7b4614d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1040 - Least Privilege | Review Of User Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1040\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/54205576-cec9-463f-ba44-b4b3f5d0a84c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"54205576-cec9-463f-ba44-b4b3f5d0a84c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1015 - Account Management | Disable Inactive Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1015\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/544a208a-9c3f-40bc-b1d1-d7e144495c14\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"544a208a-9c3f-40bc-b1d1-d7e144495c14\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1026 - Account Management | Disable Accounts For High-Risk + Individuals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1026\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/55419419-c597-4cd4-b51e-009fd2266783\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"55419419-c597-4cd4-b51e-009fd2266783\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1045 - Unsuccessful Logon Attempts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1045\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/554d2dd6-f3a8-4ad5-b66f-5ce23bd18892\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"554d2dd6-f3a8-4ad5-b66f-5ce23bd18892\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1523 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1523\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5577a310-2551-49c8-803b-36e0d5e55601\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5577a310-2551-49c8-803b-36e0d5e55601\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1113 - Response To Audit Processing Failures | Audit Storage + Capacity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1113\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/562afd61-56be-4313-8fe4-b9564aa4ba7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"562afd61-56be-4313-8fe4-b9564aa4ba7d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1212 - Configuration Settings | Automated Central Management + / Application / Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1212\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/56d970ee-4efc-49c8-8a4e-5916940d784c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"56d970ee-4efc-49c8-8a4e-5916940d784c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1403 - Controlled Maintenance | Automated Maintenance Activities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1403\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/57149289-d52b-4f40-9fe6-5233c1ef80f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"57149289-d52b-4f40-9fe6-5233c1ef80f7\"},{\"properties\":{\"displayName\":\"CORS + should not allow every resource to access your Web Applications\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Cross-Origin + Resource Sharing (CORS) should not allow all domains to access your web application. + Allow only required domains to interact with your web app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.cors.allowedOrigins[*]\",\"notEquals\":\"*\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5744710e-cc2f-4ee8-8809-3b11e89f4bc9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1162 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1162\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5770f3d6-8c2b-4f6f-bf0e-c8c8fc36d592\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1054 - Session Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1054\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5807e1b4-ba5e-4718-8689-a0ca05a191b2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5807e1b4-ba5e-4718-8689-a0ca05a191b2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1584 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1584\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5864522b-ff1d-4979-a9f8-58bee1fb174c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5864522b-ff1d-4979-a9f8-58bee1fb174c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1547 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1547\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58abf9b8-c6d4-4b4b-bfb9-fe98fe295f52\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1573 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1573\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58c93053-7b98-4cf0-b99f-1beb985416c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58c93053-7b98-4cf0-b99f-1beb985416c2\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Ensure Function app is using the latest version of TLS encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Please + use /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 + instead. The TLS(Transport Layer Security) protocol secures transmission of + data over the internet using standard encryption technology. Encryption should + be set with the latest version of TLS. App service allows TLS 1.2 by default, + which is the recommended TLS level by industry standards, such as PCI DSS\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App + Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/58d94fc1-a072-47c2-bd37-9cdb38e77453\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"58d94fc1-a072-47c2-bd37-9cdb38e77453\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1063 - Remote Access | Managed Access Control Points\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1063\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/593ce201-54b2-4dd0-b34f-c308005d7780\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"593ce201-54b2-4dd0-b34f-c308005d7780\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1463 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1463\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/59721f87-ae25-4db0-a2a4-77cc5b25d495\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"59721f87-ae25-4db0-a2a4-77cc5b25d495\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1425 - Timely Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1425\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5983d99c-f39b-4c32-a3dc-170f19f6941b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5983d99c-f39b-4c32-a3dc-170f19f6941b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1512 - Personnel Screening\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1512\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5a8324ad-f599-429b-aaed-f9c6e8c987a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5a8324ad-f599-429b-aaed-f9c6e8c987a8\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that do not have a minimum password age + of 1 day\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that do not have a minimum password age + of 1 day. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordAge\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aa11bbc-5c76-4302-80e5-aba46a4282e7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aa11bbc-5c76-4302-80e5-aba46a4282e7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1032 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1032\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aa85661-d618-46b8-a20f-ca40a86f0751\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aa85661-d618-46b8-a20f-ca40a86f0751\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that do not restrict the minimum password + length to 14 characters\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that do not restrict the minimum password + length to 14 characters. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MinimumPasswordLength\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5aebc8d1-020d-4037-89a0-02043a7524ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5aebc8d1-020d-4037-89a0-02043a7524ec\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1555 - Vulnerability Scanning | Privileged Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1555\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5afa8cab-1ed7-4e40-884c-64e0ac2059cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5afa8cab-1ed7-4e40-884c-64e0ac2059cc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1205 - Access Restrictions For Change | Signed Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1205\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b070cab-0fb8-4e48-ad29-fc90b4c2797c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b070cab-0fb8-4e48-ad29-fc90b4c2797c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1005 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1005\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b626abc-26d4-4e22-9de8-3831818526b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b626abc-26d4-4e22-9de8-3831818526b1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1105 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1105\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b73f57b-587d-4470-a344-0b0ae805f459\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b73f57b-587d-4470-a344-0b0ae805f459\"},{\"properties\":{\"displayName\":\"Show + audit results from Linux VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Linux virtual machines that have the specified applications installed. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"not_installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b842acb-0fe7-41b0-9f40-880ec4ad84d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b842acb-0fe7-41b0-9f40-880ec4ad84d8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1433 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1433\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b879b41-2728-41c5-ad24-9ee2c37cbe65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b879b41-2728-41c5-ad24-9ee2c37cbe65\"},{\"properties\":{\"displayName\":\"[Preview]: + Container Registries should be encrypted with a Customer-Managed Key (CMK)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Container Registries that do not have encryption enabled with Customer-Managed + Keys (CMK). For more information on CMK encryption, please visit: https://aka.ms/acr/CMK.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Container + Registry\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerRegistry/registries\"},{\"not\":{\"field\":\"Microsoft.ContainerRegistry/registries/encryption.status\",\"equals\":\"enabled\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\"},{\"properties\":{\"displayName\":\"Ensure + WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client + certificates allow for the app to request a certificate for incoming requests. + Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bb220d9-2698-4ee4-8404-b9c30c9df609\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bb220d9-2698-4ee4-8404-b9c30c9df609\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs on which the remote host connection + status does not match the specified one\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + on which the remote host connection status does not match the specified one. + It also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"host\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Remote Host Name\",\"description\":\"Specifies the Domain Name System (DNS) + name or IP address of the remote host machine.\"}},\"port\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Port\",\"description\":\"The TCP port number on the remote host name.\"}},\"shouldConnect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Should connect to remote host\",\"description\":\"Must be 'True' or 'False'. + 'True' indicates that the virtual machine should be able to establish a connection + with the remote host specified, so the machine will be non-compliant if it + cannot establish a connection. 'False' indicates that the virtual machine + should not be able to establish a connection with the remote host specified, + so the machine will be non-compliant if it can establish a connection.\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsRemoteConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsRemoteConnection]WindowsRemoteConnection1;host', + '=', parameters('host'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;port', + '=', parameters('port'), ',', '[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect', + '=', parameters('shouldConnect')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsRemoteConnection\"},\"host\":{\"value\":\"[parameters('host')]\"},\"port\":{\"value\":\"[parameters('port')]\"},\"shouldConnect\":{\"value\":\"[parameters('shouldConnect')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"host\":{\"type\":\"string\"},\"port\":{\"type\":\"string\"},\"shouldConnect\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;host\",\"value\":\"[parameters('host')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;port\",\"value\":\"[parameters('port')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect\",\"value\":\"[parameters('shouldConnect')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;host\",\"value\":\"[parameters('host')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;port\",\"value\":\"[parameters('port')]\"},{\"name\":\"[WindowsRemoteConnection]WindowsRemoteConnection1;shouldConnect\",\"value\":\"[parameters('shouldConnect')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bb36dda-8a78-4df9-affd-4f05a8612a8a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bb36dda-8a78-4df9-affd-4f05a8612a8a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1551 - Vulnerability Scanning | Update Tool Capability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1551\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5bbda922-0172-4095-89e6-5b4a0bf03af7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5bbda922-0172-4095-89e6-5b4a0bf03af7\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Network Security'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Network Security'. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkSecurity\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c028d2a-1889-45f6-b821-31f42711ced8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c028d2a-1889-45f6-b821-31f42711ced8\"},{\"properties\":{\"displayName\":\"[Preview]: + Audit Log Analytics Agent Deployment in VMSS - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + VMSS as non-compliant if the VM Image (OS) is not in the list defined and + the agent is not installed. The list of OS images will be updated over time + as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1671 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1671\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c5bbef7-a316-415b-9b38-29753ce8e698\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c5bbef7-a316-415b-9b38-29753ce8e698\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1067 - Wireless Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1067\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c5e54f6-0127-44d0-8b61-f31dc8dd6190\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c5e54f6-0127-44d0-8b61-f31dc8dd6190\"},{\"properties\":{\"displayName\":\"External + accounts with write permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + accounts with write privileges should be removed from your subscription in + order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithWritePermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5c607a2e-c700-4744-8254-d77e7c9eb5e4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5c607a2e-c700-4744-8254-d77e7c9eb5e4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1483 - Water Damage Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1483\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5cb81060-3c8a-4968-bcdc-395a1801f6c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5cb81060-3c8a-4968-bcdc-395a1801f6c1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1362 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1362\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5d169442-d6ef-439b-8dca-46c2c3248214\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5d169442-d6ef-439b-8dca-46c2c3248214\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1014 - Account Management | Removal Of Temporary / Emergency + Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1014\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5dee936c-8037-4df1-ab35-6635733da48c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5dee936c-8037-4df1-ab35-6635733da48c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1665 - Process Isolation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1665\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5df3a55c-8456-44d4-941e-175f79332512\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5df3a55c-8456-44d4-941e-175f79332512\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Function App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + of HTTPS ensures server/service authentication and protects data in transit + from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForFunctionApp\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5df82f4f-773a-4a2d-97a2-422a806f1a55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5df82f4f-773a-4a2d-97a2-422a806f1a55\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1251 - Contingency Plan | Coordinate With Related Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1251\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e2b3730-8c14-4081-8893-19dbb5de7348\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e2b3730-8c14-4081-8893-19dbb5de7348\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Applications that are not using latest supported .NET Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported .NET Framework version for the latest security classes. + Using older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestDotNet\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e3315e0-a414-4efb-a4d2-c7bd2b0443d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e3315e0-a414-4efb-a4d2-c7bd2b0443d2\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs that do not have the specified applications + installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that do not have the specified applications + installed. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WhitelistedApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e393799-e3ca-4e43-a9a5-0ec4648a57d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e393799-e3ca-4e43-a9a5-0ec4648a57d9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1116 - Audit Review, Analysis, And Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1116\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5e47bc51-35d1-44b8-92af-e2f2d8b67635\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5e47bc51-35d1-44b8-92af-e2f2d8b67635\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1208 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1208\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ea87673-d06b-456f-a324-8abcee5c159f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ea87673-d06b-456f-a324-8abcee5c159f\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Allow resource creation only in India data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + resource creation in the following locations only: West India, South India, + Central India\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"westindia\",\"southindia\",\"centralindia\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ee85ce5-e7eb-44d6-b4a2-32a24be1ca54\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Log Analytics Agent for Linux VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Log Analytics Agent for Linux VM Scale Sets if the VM Image (OS) is in the + list defined and the agent is not installed. Note: if your scale set upgradePolicy + is set to Manual, you need to apply the extension to the all VMs in the set + by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Log Analytics workspace\",\"description\":\"Select Log Analytics workspace + from dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"12*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"14.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"16.04*LTS\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"18.04*LTS\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Oracle\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Oracle-Linux\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7.*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\",\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"OmsAgentForLinux\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"MMAExtension\",\"vmExtensionPublisher\":\"Microsoft.EnterpriseCloud.Monitoring\",\"vmExtensionType\":\"OmsAgentForLinux\",\"vmExtensionTypeHandlerVersion\":\"1.7\"},\"resources\":[{\"name\":\"[concat(parameters('vmName'), + '/', variables('vmExtensionName'))]\",\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"location\":\"[parameters('location')]\",\"apiVersion\":\"2018-06-01\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true,\"settings\":{\"workspaceId\":\"[reference(parameters('logAnalytics'), + '2015-03-20').customerId]\",\"stopOnMultipleConnections\":\"true\"},\"protectedSettings\":{\"workspaceKey\":\"[listKeys(parameters('logAnalytics'), + '2015-03-20').primarySharedKey]\"}}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ee9e9ed-0b42-41b7-8c9c-3cfb2fbe2069\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1576 - Acquisition Process | Design / Implementation Information + For Security Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1576\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f18c885-ade3-48c5-80b1-8f9216019c18\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f18c885-ade3-48c5-80b1-8f9216019c18\"},{\"properties\":{\"displayName\":\"External + accounts with read permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + accounts with read privileges should be removed from your subscription in + order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithReadPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f76cf89-fbf2-47fd-a3f4-b891fa780b60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f76cf89-fbf2-47fd-a3f4-b891fa780b60\"},{\"properties\":{\"displayName\":\"Add + or replace a tag on resources\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + or replaces the specified tag and value when any resource is created or updated. + Existing resources can be remediated by triggering a remediation task. Does + not modify tags on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5ffd78d9-436d-4b41-a421-5baa819e3008\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5ffd78d9-436d-4b41-a421-5baa819e3008\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1663 - Protection Of Information At Rest\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1663\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60171210-6dde-40af-a144-bf2670518bfa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60171210-6dde-40af-a144-bf2670518bfa\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'System Audit Policies + - Object Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'System Audit Policies - Object Access'. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60aeaf73-a074-417a-905f-7ce9df0ff77b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60aeaf73-a074-417a-905f-7ce9df0ff77b\"},{\"properties\":{\"displayName\":\"Storage + Accounts should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Storage Account not configured to use a virtual network + service endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"anyOf\":[{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*].id\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60d21c4f-21a3-4d94-85f4-b924e6aeeda4\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows web servers that are not using secure communication + protocols\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows web servers that are not using secure communication protocols + (TLS 1.1 or TLS 1.2). For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AuditSecureProtocol\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/60ffe3e2-4604-4460-8f22-0f1da058266c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"60ffe3e2-4604-4460-8f22-0f1da058266c\"},{\"properties\":{\"displayName\":\"Deploy + Advanced Data Security on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy enables Advanced Data Security on SQL Servers. This includes turning + on Threat Detection and Vulnerability Assessment. It will automatically create + a storage account in the same region and resource group as the SQL server + to store scan results, with a 'sqlva' prefix.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/securityAlertPolicies.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"serverResourceGroupName\":\"[resourceGroup().name]\",\"subscriptionId\":\"[subscription().subscriptionId]\",\"uniqueStorage\":\"[uniqueString(variables('subscriptionId'), + variables('serverResourceGroupName'), parameters('location'))]\",\"storageName\":\"[tolower(concat('sqlva', + variables('uniqueStorage')))]\"},\"resources\":[{\"type\":\"Microsoft.Storage/storageAccounts\",\"name\":\"[variables('storageName')]\",\"apiVersion\":\"2019-04-01\",\"location\":\"[parameters('location')]\",\"sku\":{\"name\":\"Standard_LRS\"},\"kind\":\"StorageV2\",\"properties\":{}},{\"name\":\"[concat(parameters('serverName'), + '/Default')]\",\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"emailAccountAdmins\":true}},{\"name\":\"[concat(parameters('serverName'), + '/Default')]\",\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"apiVersion\":\"2018-06-01-preview\",\"properties\":{\"storageContainerPath\":\"[concat(reference(resourceId('Microsoft.Storage/storageAccounts', + variables('storageName'))).primaryEndpoints.blob, 'vulnerability-assessment')]\",\"storageAccountAccessKey\":\"[listKeys(resourceId('Microsoft.Storage/storageAccounts', + variables('storageName')), '2018-02-01').keys[0].value]\",\"recurringScans\":{\"isEnabled\":true,\"emailSubscriptionAdmins\":true,\"emails\":[]}},\"dependsOn\":[\"[concat('Microsoft.Storage/storageAccounts/', + variables('storageName'))]\",\"[concat('Microsoft.Sql/servers/', parameters('serverName'), + '/securityAlertPolicies/Default')]\"]}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6134c3db-786f-471e-87bc-8f479dc890f6\"},{\"properties\":{\"displayName\":\"[Preview]: + Configure time zone on Windows machines.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to set specified time zone + on Windows virtual machines.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"TimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Time zone\",\"description\":\"The expected time zone\"},\"allowedValues\":[\"(UTC-12:00) + International Date Line West\",\"(UTC-11:00) Coordinated Universal Time-11\",\"(UTC-10:00) + Aleutian Islands\",\"(UTC-10:00) Hawaii\",\"(UTC-09:30) Marquesas Islands\",\"(UTC-09:00) + Alaska\",\"(UTC-09:00) Coordinated Universal Time-09\",\"(UTC-08:00) Baja + California\",\"(UTC-08:00) Coordinated Universal Time-08\",\"(UTC-08:00) Pacific + Time (US & Canada)\",\"(UTC-07:00) Arizona\",\"(UTC-07:00) Chihuahua, La Paz, + Mazatlan\",\"(UTC-07:00) Mountain Time (US & Canada)\",\"(UTC-06:00) Central + America\",\"(UTC-06:00) Central Time (US & Canada)\",\"(UTC-06:00) Easter + Island\",\"(UTC-06:00) Guadalajara, Mexico City, Monterrey\",\"(UTC-06:00) + Saskatchewan\",\"(UTC-05:00) Bogota, Lima, Quito, Rio Branco\",\"(UTC-05:00) + Chetumal\",\"(UTC-05:00) Eastern Time (US & Canada)\",\"(UTC-05:00) Haiti\",\"(UTC-05:00) + Havana\",\"(UTC-05:00) Indiana (East)\",\"(UTC-05:00) Turks and Caicos\",\"(UTC-04:00) + Asuncion\",\"(UTC-04:00) Atlantic Time (Canada)\",\"(UTC-04:00) Caracas\",\"(UTC-04:00) + Cuiaba\",\"(UTC-04:00) Georgetown, La Paz, Manaus, San Juan\",\"(UTC-04:00) + Santiago\",\"(UTC-03:30) Newfoundland\",\"(UTC-03:00) Araguaina\",\"(UTC-03:00) + Brasilia\",\"(UTC-03:00) Cayenne, Fortaleza\",\"(UTC-03:00) City of Buenos + Aires\",\"(UTC-03:00) Greenland\",\"(UTC-03:00) Montevideo\",\"(UTC-03:00) + Punta Arenas\",\"(UTC-03:00) Saint Pierre and Miquelon\",\"(UTC-03:00) Salvador\",\"(UTC-02:00) + Coordinated Universal Time-02\",\"(UTC-02:00) Mid-Atlantic - Old\",\"(UTC-01:00) + Azores\",\"(UTC-01:00) Cabo Verde Is.\",\"(UTC) Coordinated Universal Time\",\"(UTC+00:00) + Dublin, Edinburgh, Lisbon, London\",\"(UTC+00:00) Monrovia, Reykjavik\",\"(UTC+00:00) + Sao Tome\",\"(UTC+01:00) Casablanca\",\"(UTC+01:00) Amsterdam, Berlin, Bern, + Rome, Stockholm, Vienna\",\"(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, + Prague\",\"(UTC+01:00) Brussels, Copenhagen, Madrid, Paris\",\"(UTC+01:00) + Sarajevo, Skopje, Warsaw, Zagreb\",\"(UTC+01:00) West Central Africa\",\"(UTC+02:00) + Amman\",\"(UTC+02:00) Athens, Bucharest\",\"(UTC+02:00) Beirut\",\"(UTC+02:00) + Cairo\",\"(UTC+02:00) Chisinau\",\"(UTC+02:00) Damascus\",\"(UTC+02:00) Gaza, + Hebron\",\"(UTC+02:00) Harare, Pretoria\",\"(UTC+02:00) Helsinki, Kyiv, Riga, + Sofia, Tallinn, Vilnius\",\"(UTC+02:00) Jerusalem\",\"(UTC+02:00) Kaliningrad\",\"(UTC+02:00) + Khartoum\",\"(UTC+02:00) Tripoli\",\"(UTC+02:00) Windhoek\",\"(UTC+03:00) + Baghdad\",\"(UTC+03:00) Istanbul\",\"(UTC+03:00) Kuwait, Riyadh\",\"(UTC+03:00) + Minsk\",\"(UTC+03:00) Moscow, St. Petersburg\",\"(UTC+03:00) Nairobi\",\"(UTC+03:30) + Tehran\",\"(UTC+04:00) Abu Dhabi, Muscat\",\"(UTC+04:00) Astrakhan, Ulyanovsk\",\"(UTC+04:00) + Baku\",\"(UTC+04:00) Izhevsk, Samara\",\"(UTC+04:00) Port Louis\",\"(UTC+04:00) + Saratov\",\"(UTC+04:00) Tbilisi\",\"(UTC+04:00) Volgograd\",\"(UTC+04:00) + Yerevan\",\"(UTC+04:30) Kabul\",\"(UTC+05:00) Ashgabat, Tashkent\",\"(UTC+05:00) + Ekaterinburg\",\"(UTC+05:00) Islamabad, Karachi\",\"(UTC+05:00) Qyzylorda\",\"(UTC+05:30) + Chennai, Kolkata, Mumbai, New Delhi\",\"(UTC+05:30) Sri Jayawardenepura\",\"(UTC+05:45) + Kathmandu\",\"(UTC+06:00) Astana\",\"(UTC+06:00) Dhaka\",\"(UTC+06:00) Omsk\",\"(UTC+06:30) + Yangon (Rangoon)\",\"(UTC+07:00) Bangkok, Hanoi, Jakarta\",\"(UTC+07:00) Barnaul, + Gorno-Altaysk\",\"(UTC+07:00) Hovd\",\"(UTC+07:00) Krasnoyarsk\",\"(UTC+07:00) + Novosibirsk\",\"(UTC+07:00) Tomsk\",\"(UTC+08:00) Beijing, Chongqing, Hong + Kong, Urumqi\",\"(UTC+08:00) Irkutsk\",\"(UTC+08:00) Kuala Lumpur, Singapore\",\"(UTC+08:00) + Perth\",\"(UTC+08:00) Taipei\",\"(UTC+08:00) Ulaanbaatar\",\"(UTC+08:45) Eucla\",\"(UTC+09:00) + Chita\",\"(UTC+09:00) Osaka, Sapporo, Tokyo\",\"(UTC+09:00) Pyongyang\",\"(UTC+09:00) + Seoul\",\"(UTC+09:00) Yakutsk\",\"(UTC+09:30) Adelaide\",\"(UTC+09:30) Darwin\",\"(UTC+10:00) + Brisbane\",\"(UTC+10:00) Canberra, Melbourne, Sydney\",\"(UTC+10:00) Guam, + Port Moresby\",\"(UTC+10:00) Hobart\",\"(UTC+10:00) Vladivostok\",\"(UTC+10:30) + Lord Howe Island\",\"(UTC+11:00) Bougainville Island\",\"(UTC+11:00) Chokurdakh\",\"(UTC+11:00) + Magadan\",\"(UTC+11:00) Norfolk Island\",\"(UTC+11:00) Sakhalin\",\"(UTC+11:00) + Solomon Is., New Caledonia\",\"(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky\",\"(UTC+12:00) + Auckland, Wellington\",\"(UTC+12:00) Coordinated Universal Time+12\",\"(UTC+12:00) + Fiji\",\"(UTC+12:00) Petropavlovsk-Kamchatsky - Old\",\"(UTC+12:45) Chatham + Islands\",\"(UTC+13:00) Coordinated Universal Time+13\",\"(UTC+13:00) Nuku'alofa\",\"(UTC+13:00) + Samoa\",\"(UTC+14:00) Kiritimati Island\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"SetWindowsTimeZone\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', + '=', parameters('TimeZone')))]\"},{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"SetWindowsTimeZone\"},\"TimeZone\":{\"value\":\"[parameters('TimeZone')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"TimeZone\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"assignmentType\":\"DeployAndAutoCorrect\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"assignmentType\":\"DeployAndAutoCorrect\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6141c932-9384-44c6-a395-59e4c057d7c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6141c932-9384-44c6-a395-59e4c057d7c9\"},{\"properties\":{\"displayName\":\"Service + Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Service + Fabric provides three levels of protection (None, Sign and EncryptAndSign) + for node-to-node communication using a primary cluster certificate. Set the + protection level to ensure that all node-to-node messages are encrypted and + digitally signed\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Service + Fabric\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceFabric/clusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].name\",\"notEquals\":\"Security\"},{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].name\",\"notEquals\":\"ClusterProtectionLevel\"},{\"field\":\"Microsoft.ServiceFabric/clusters/fabricSettings[*].parameters[*].value\",\"notEquals\":\"EncryptAndSign\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"617c02be-7f02-4efd-8836-3180d47b6c68\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1110 - Audit Storage Capacity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1110\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6182bfa7-0f2a-43f5-834a-a2ddf31c13c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6182bfa7-0f2a-43f5-834a-a2ddf31c13c7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1415 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1415\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/61a1dd98-b259-4840-abd5-fbba7ee0da83\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"61a1dd98-b259-4840-abd5-fbba7ee0da83\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1153 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1153\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/61cf3125-142c-4754-8a16-41ab4d529635\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"61cf3125-142c-4754-8a16-41ab4d529635\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + System objects'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - System objects'. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemobjects\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/620e58b5-ac75-49b4-993f-a9d4f0459636\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"620e58b5-ac75-49b4-993f-a9d4f0459636\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1682 - Malicious Code Protection | Nonsignature-Based Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1682\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/62b638c5-29d7-404b-8d93-f21e4b1ce198\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"62b638c5-29d7-404b-8d93-f21e4b1ce198\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1660 - Session Authenticity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1660\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/63096613-ce83-43e5-96f4-e588e8813554\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"63096613-ce83-43e5-96f4-e588e8813554\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1002 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1002\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/632024c2-8079-439d-a7f6-90af1d78cc65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"632024c2-8079-439d-a7f6-90af1d78cc65\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1498 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1498\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/633988b9-cf2f-4323-8394-f0d2af9cd6e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"633988b9-cf2f-4323-8394-f0d2af9cd6e1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1177 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1177\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"63dbc7a8-e20b-4d38-b857-a7f6c0cd94bc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1185 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1185\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6420cd73-b939-43b7-9d99-e8688fea053c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6420cd73-b939-43b7-9d99-e8688fea053c\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Devices'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Devices'. It also creates a system-assigned managed identity and deploys the + VM extension for Guest Configuration. This policy should only be used along + with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Devices: Allowed to format and eject removable media\",\"description\":\"Specifies + who is allowed to format and eject removable NTFS media. You can use this + policy setting to prevent unauthorized users from removing data on one computer + to access it on another computer on which they have local administrator privileges.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsDevices\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Devices: + Allowed to format and eject removable media;ExpectedValue', '=', parameters('DevicesAllowedToFormatAndEjectRemovableMedia')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsDevices\"},\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"DevicesAllowedToFormatAndEjectRemovableMedia\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Devices: + Allowed to format and eject removable media;ExpectedValue\",\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Devices: + Allowed to format and eject removable media;ExpectedValue\",\"value\":\"[parameters('DevicesAllowedToFormatAndEjectRemovableMedia')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6481cc21-ed6e-4480-99dd-ea7c5222e897\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6481cc21-ed6e-4480-99dd-ea7c5222e897\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1441 - Media Sanitization | Equipment Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1441\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6519d7f3-e8a2-4ff3-a935-9a9497152ad7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6519d7f3-e8a2-4ff3-a935-9a9497152ad7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1558 - Vulnerability Scanning | Correlate Scanning Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1558\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/65592b16-4367-42c5-a26e-d371be450e17\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"65592b16-4367-42c5-a26e-d371be450e17\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit missing blob encryption for storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy is no longer necessary because storage blob encryption is enabled by + default and cannot be turned off.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/enableBlobEncryption\",\"equals\":\"True\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/655cb504-bcee-4362-bd4c-402e6aa38759\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"655cb504-bcee-4362-bd4c-402e6aa38759\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1261 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1261\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/65aeceb5-a59c-4cb1-8d82-9c474be5d431\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"65aeceb5-a59c-4cb1-8d82-9c474be5d431\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit IP restrictions configuration for a Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + Restrictions allow you to define a list of IP addresses that are allowed to + access your app. Use of IP Restrictions protects a Function app from common + attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/664346d9-be92-43fb-a219-d595eeb76a90\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"664346d9-be92-43fb-a219-d595eeb76a90\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1444 - Media Use | Prohibit Use Without Owner\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1444\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/666143df-f5e0-45bd-b554-135f0f93e44e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"666143df-f5e0-45bd-b554-135f0f93e44e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1319 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1319\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/66f7ae57-5560-4fc5-85c9-659f204e7a42\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"66f7ae57-5560-4fc5-85c9-659f204e7a42\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1628 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1628\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/67de62b4-a737-4781-8861-3baed3c35069\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"67de62b4-a737-4781-8861-3baed3c35069\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1377 - Incident Response Assistance | Coordination With External + Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1377\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68434bd1-e14b-4031-9edb-a4adf5f84a67\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68434bd1-e14b-4031-9edb-a4adf5f84a67\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs on which the Log Analytics agent + is not connected as expected\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + on which the Log Analytics agent is not connected to the specified workspaces. + It also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"WorkspaceId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Connected workspace IDs\",\"description\":\"A semicolon-separated list of + the workspace IDs that the Log Analytics agent should be connected to\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsLogAnalyticsAgentConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId', + '=', parameters('WorkspaceId')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsLogAnalyticsAgentConnection\"},\"WorkspaceId\":{\"value\":\"[parameters('WorkspaceId')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"WorkspaceId\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId\",\"value\":\"[parameters('WorkspaceId')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LogAnalyticsAgent]LogAnalyticsAgent1;WorkspaceId\",\"value\":\"[parameters('WorkspaceId')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68511db2-bd02-41c4-ae6b-1900a012968a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68511db2-bd02-41c4-ae6b-1900a012968a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1597 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1597\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68b250ec-2e4f-4eee-898a-117a9fda7016\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68b250ec-2e4f-4eee-898a-117a9fda7016\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1588 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1588\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68ebae26-e0e0-4ecb-8379-aabf633b51e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68ebae26-e0e0-4ecb-8379-aabf633b51e9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1070 - Wireless Access | Disable Wireless Networking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1070\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/68f837d0-8942-4b1e-9b31-be78b247bda8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"68f837d0-8942-4b1e-9b31-be78b247bda8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1727 - Memory Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1727\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/697175a7-9715-4e89-b98b-c6f605888fa3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"697175a7-9715-4e89-b98b-c6f605888fa3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1652 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1652\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6998e84a-2d29-4e10-8962-76754d4f772d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6998e84a-2d29-4e10-8962-76754d4f772d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1699 - Information System Monitoring | Privileged Users\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1699\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/69c7bee8-bc19-4129-a51e-65a7b39d3e7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"69c7bee8-bc19-4129-a51e-65a7b39d3e7c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1696 - Information System Monitoring | Correlate Monitoring + Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1696\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/69d2a238-20ab-4206-a6dc-f302bf88b1b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"69d2a238-20ab-4206-a6dc-f302bf88b1b8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1244 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1244\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a13a8f8-c163-4b1b-8554-d63569dab937\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a13a8f8-c163-4b1b-8554-d63569dab937\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1019 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1019\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a3ee9b2-3977-459c-b8ce-2db583abd9f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a3ee9b2-3977-459c-b8ce-2db583abd9f7\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs on which Windows Defender Exploit + Guard is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + on which Windows Defender Exploit Guard is not enabled. It also creates a + system-assigned managed identity and deploys the VM extension for Guest Configuration. + This policy should only be used along with its corresponding audit policy + in an initiative. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NotAvailableMachineState\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + State in which to show VMs on which Windows Defender Exploit Guard is not + available\",\"description\":\"Windows Defender Exploit Guard is only available + starting with Windows 10/Windows Server with update 1709. Setting this value + to 'Non-Compliant' will make machines with older versions on which Windows + Defender Exploit Guard is not available (such as Windows Server 2012 R2) non-compliant. + Setting this value to 'Compliant' will make these machines compliant.\"},\"allowedValues\":[\"Compliant\",\"Non-Compliant\"],\"defaultValue\":\"Non-Compliant\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDefenderExploitGuard\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState', + '=', parameters('NotAvailableMachineState')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDefenderExploitGuard\"},\"NotAvailableMachineState\":{\"value\":\"[parameters('NotAvailableMachineState')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NotAvailableMachineState\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState\",\"value\":\"[parameters('NotAvailableMachineState')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsDefenderExploitGuard]WindowsDefenderExploitGuard1;NotAvailableMachineState\",\"value\":\"[parameters('NotAvailableMachineState')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a7a2bcf-f9be-4e35-9734-4f9657a70f1d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a7a2bcf-f9be-4e35-9734-4f9657a70f1d\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit IP restrictions configuration for a Web Application\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"IP + Restrictions allow you to define a list of IP addresses that are allowed to + access your app. Use of IP Restrictions protects a web application from common + attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ConfigureIPRestrictions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a8450e2-6c61-43b4-be65-62e3a197bffe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a8450e2-6c61-43b4-be65-62e3a197bffe\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1211 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1211\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6a8b9dc8-6b00-4701-aa96-bba3277ebf50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6a8b9dc8-6b00-4701-aa96-bba3277ebf50\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Ensure WEB app is using the latest version of TLS encryption \",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Please + use /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b + instead. The TLS(Transport Layer Security) protocol secures transmission of + data over the internet using standard encryption technology. Encryption should + be set with the latest version of TLS. App service allows TLS 1.2 by default, + which is the recommended TLS level by industry standards, such as PCI DSS.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App + Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6ad61431-88ce-4357-a0e1-6da43f292bd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6ad61431-88ce-4357-a0e1-6da43f292bd7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1653 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1653\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b1c00a7-7fd0-42b0-8c5b-c45f6fa1f71b\"},{\"properties\":{\"displayName\":\"Deprecated + accounts should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Deprecated + accounts should be removed from your subscriptions. Deprecated accounts are + accounts that have been blocked from signing in.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveDeprecatedAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b1cbf55-e8b6-442f-ba4c-7246b6381474\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b1cbf55-e8b6-442f-ba4c-7246b6381474\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Service Bus to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Service Bus to stream to a regional Event Hub + when any Service Bus which is missing this diagnostic settings is created + or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.ServiceBus/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b51af03-9277-49a9-a3f8-1c69c9ff7403\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b51af03-9277-49a9-a3f8-1c69c9ff7403\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1031 - Separation Of Duties\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1031\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6b93a801-fe25-4574-a60d-cb22acffae00\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6b93a801-fe25-4574-a60d-cb22acffae00\"},{\"properties\":{\"displayName\":\"Not + allowed resource types\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy enables you to specify the resource types that your organization cannot + deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfResourceTypesNotAllowed\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of resource types that cannot be deployed.\",\"displayName\":\"Not allowed + resource types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypesNotAllowed')]\"},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1338 - Authenticator Management | Automated Support For Password + Strength Determination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1338\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6c59a207-6aed-41dc-83a2-e1ff66e4a4db\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6c59a207-6aed-41dc-83a2-e1ff66e4a4db\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1304 - Identification And Authentication (Org. Users) | Local + Access To Non-Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1304\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6ca71be3-16cb-4d39-8b50-7f8fd5e2f11b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1437 - Media Transport | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1437\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d1eb6ed-bf13-4046-b993-b9e2aef0f76c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d1eb6ed-bf13-4046-b993-b9e2aef0f76c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1171 - Penetration Testing | Independent Penetration Agent + Or Team\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1171\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d4820bc-8b61-4982-9501-2123cb776c00\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d4820bc-8b61-4982-9501-2123cb776c00\"},{\"properties\":{\"displayName\":\"Function + App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + of HTTPS ensures server/service authentication and protects data in transit + from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1643 - Cryptographic Key Establishment And Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1643\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d8d492c-dd7a-46f7-a723-fa66a425b87c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d8d492c-dd7a-46f7-a723-fa66a425b87c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1291 - Information System Backup | Testing For Reliability + / Integrity\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1291\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6d8fd073-9c85-4ee2-a9d0-2e4ec9eb8912\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1175 - Configuration Management Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1175\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6dab4254-c30d-4bb7-ae99-1d21586c063c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6dab4254-c30d-4bb7-ae99-1d21586c063c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1651 - Mobile Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1651\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6db63528-c9ba-491c-8a80-83e1e6977a50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6db63528-c9ba-491c-8a80-83e1e6977a50\"},{\"properties\":{\"displayName\":\"Email + notification for high severity alerts should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enable + emailing security alerts to the security contact, in order to have them receive + security alert emails from Microsoft. This ensures that the right people are + aware of any potential security issues and are able to mitigate the risks\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/alertNotifications\",\"notEquals\":\"Off\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e2593d9-add6-4083-9c9b-4b7d2188c899\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1586 - External Information System Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1586\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e3b2fbd-8f37-4766-a64d-3f37703dcb51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e3b2fbd-8f37-4766-a64d-3f37703dcb51\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1536 - Risk Assessment Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1536\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e40d9de-2ad4-4cb5-8945-23143326a502\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e40d9de-2ad4-4cb5-8945-23143326a502\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1530 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1530\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6e8f9566-29f1-49cd-b61f-f8628a3cf993\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6e8f9566-29f1-49cd-b61f-f8628a3cf993\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1460 - Access Control For Output Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1460\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6f3ce1bb-4f77-4695-8355-70b08d54fdda\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6f3ce1bb-4f77-4695-8355-70b08d54fdda\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1320 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1320\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6f54c732-71d4-4f93-a696-4e373eca3a77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6f54c732-71d4-4f93-a696-4e373eca3a77\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Allow resource creation only in Japan data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + resource creation in the following locations only: Japan East, Japan West\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fdb9205-3462-4cfc-87d8-16c7860b53f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fdb9205-3462-4cfc-87d8-16c7860b53f4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1141 - Audit Generation | Changes By Authorized Individuals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1141\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fdefbf4-93e7-4513-bc95-c1858b7093e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fdefbf4-93e7-4513-bc95-c1858b7093e0\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Microsoft Network Server'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Microsoft Network Server'. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/6fe4ef56-7576-4dc4-8e9c-26bad4b087ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"6fe4ef56-7576-4dc4-8e9c-26bad4b087ce\"},{\"properties\":{\"displayName\":\"Ensure + that 'Python version' is the latest, if used as a part of the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for Python software either due to security flaws + or to include additional functionality. Using the latest Python version for + web apps is recommended in order to to take advantage of security fixes, if + any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows + Latest Python version\",\"description\":\"Latest supported Python version + for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux + Latest Python version\",\"description\":\"Latest supported Python version + for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', + parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7008174a-fd10-4ef0-817e-fc820a951d73\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Windows Components'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Windows Components'. + It also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Send file samples when further analysis is required\",\"description\":\"Specifies + whether and how Windows Defender will submit samples of suspected malware + \ to Microsoft for further analysis when opt-in for MAPS telemetry is set.\"},\"defaultValue\":\"1\"},\"AllowIndexingOfEncryptedFiles\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Allow indexing of encrypted files\",\"description\":\"Specifies whether encrypted + items are allowed to be indexed.\"},\"defaultValue\":\"0\"},\"AllowTelemetry\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Allow Telemetry\",\"description\":\"Specifies configuration of the amount + of diagnostic and usage data reported to Microsoft. The data is transmitted + securely and sensitive data is not sent.\"},\"defaultValue\":\"2\"},\"AllowUnencryptedTraffic\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Allow unencrypted traffic\",\"description\":\"Specifies whether the Windows + Remote Management (WinRM) service sends and receives unencrypted messages + over the network.\"},\"defaultValue\":\"0\"},\"AlwaysInstallWithElevatedPrivileges\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Always install with elevated privileges\",\"description\":\"Specifies whether + Windows Installer should use system permissions when it installs any program + on the system.\"},\"defaultValue\":\"0\"},\"AlwaysPromptForPasswordUponConnection\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Always prompt for password upon connection\",\"description\":\"Specifies whether + Terminal Services/Remote Desktop Connection always prompts the client computer + for a password upon connection.\"},\"defaultValue\":\"1\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Application: Specify the maximum log file size (KB)\",\"description\":\"Specifies + the maximum size for the Application event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Automatically send memory dumps for OS-generated error reports\",\"description\":\"Specifies + if memory dumps in support of OS-generated error reports can be sent to Microsoft + automatically.\"},\"defaultValue\":\"1\"},\"ConfigureDefaultConsent\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Configure Default consent\",\"description\":\"Specifies setting of the default + consent handling for error reports sent to Microsoft.\"},\"defaultValue\":\"4\"},\"ConfigureWindowsSmartScreen\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Configure Windows SmartScreen\",\"description\":\"Specifies how to manage + the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer + by warning users before running unrecognized programs downloaded from the + Internet. Some information is sent to Microsoft about files and programs run + on PCs with this feature enabled.\"},\"defaultValue\":\"1\"},\"DisallowDigestAuthentication\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Disallow Digest authentication\",\"description\":\"Specifies whether the Windows + Remote Management (WinRM) client will not use Digest authentication.\"},\"defaultValue\":\"0\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Disallow WinRM from storing RunAs credentials\",\"description\":\"Specifies + whether the Windows Remote Management (WinRM) service will not allow RunAs + credentials to be stored for any plug-ins.\"},\"defaultValue\":\"1\"},\"DoNotAllowPasswordsToBeSaved\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Do not allow passwords to be saved\",\"description\":\"Specifies whether to + prevent Remote Desktop Services - Terminal Services clients from saving passwords + on a computer.\"},\"defaultValue\":\"1\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Security: Specify the maximum log file size (KB)\",\"description\":\"Specifies + the maximum size for the Security event log in kilobytes.\"},\"defaultValue\":\"196608\"},\"SetClientConnectionEncryptionLevel\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Set client connection encryption level\",\"description\":\"Specifies whether + to require the use of a specific encryption level to secure communications + between client computers and RD Session Host servers during Remote Desktop + Protocol (RDP) connections. This policy only applies when you are using native + RDP encryption.\"},\"defaultValue\":\"3\"},\"SetTheDefaultBehaviorForAutoRun\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Set the default behavior for AutoRun\",\"description\":\"Specifies the default + behavior for Autorun commands. Autorun commands are generally stored in autorun.inf + files. They often launch the installation program or other routines.\"},\"defaultValue\":\"1\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Setup: Specify the maximum log file size (KB)\",\"description\":\"Specifies + the maximum size for the Setup event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + System: Specify the maximum log file size (KB)\",\"description\":\"Specifies + the maximum size for the System event log in kilobytes.\"},\"defaultValue\":\"32768\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Turn off Data Execution Prevention for Explorer\",\"description\":\"Specifies + whether to turn off Data Execution Prevention for Windows File Explorer. Disabling + data execution prevention can allow certain legacy plug-in applications to + function without terminating Explorer.\"},\"defaultValue\":\"0\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Specify the interval to check for definition updates\",\"description\":\"Specifies + an interval at which to check for Windows Defender definition updates. The + time value is represented as the number of hours between update checks.\"},\"defaultValue\":\"8\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsComponents\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Send + file samples when further analysis is required;ExpectedValue', '=', parameters('SendFileSamplesWhenFurtherAnalysisIsRequired'), + ',', 'Allow indexing of encrypted files;ExpectedValue', '=', parameters('AllowIndexingOfEncryptedFiles'), + ',', 'Allow Telemetry;ExpectedValue', '=', parameters('AllowTelemetry'), ',', + 'Allow unencrypted traffic;ExpectedValue', '=', parameters('AllowUnencryptedTraffic'), + ',', 'Always install with elevated privileges;ExpectedValue', '=', parameters('AlwaysInstallWithElevatedPrivileges'), + ',', 'Always prompt for password upon connection;ExpectedValue', '=', parameters('AlwaysPromptForPasswordUponConnection'), + ',', 'Application: Specify the maximum log file size (KB);ExpectedValue', + '=', parameters('ApplicationSpecifyTheMaximumLogFileSizeKB'), ',', 'Automatically + send memory dumps for OS-generated error reports;ExpectedValue', '=', parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports'), + ',', 'Configure Default consent;ExpectedValue', '=', parameters('ConfigureDefaultConsent'), + ',', 'Configure Windows SmartScreen;ExpectedValue', '=', parameters('ConfigureWindowsSmartScreen'), + ',', 'Disallow Digest authentication;ExpectedValue', '=', parameters('DisallowDigestAuthentication'), + ',', 'Disallow WinRM from storing RunAs credentials;ExpectedValue', '=', parameters('DisallowWinRMFromStoringRunAsCredentials'), + ',', 'Do not allow passwords to be saved;ExpectedValue', '=', parameters('DoNotAllowPasswordsToBeSaved'), + ',', 'Security: Specify the maximum log file size (KB);ExpectedValue', '=', + parameters('SecuritySpecifyTheMaximumLogFileSizeKB'), ',', 'Set client connection + encryption level;ExpectedValue', '=', parameters('SetClientConnectionEncryptionLevel'), + ',', 'Set the default behavior for AutoRun;ExpectedValue', '=', parameters('SetTheDefaultBehaviorForAutoRun'), + ',', 'Setup: Specify the maximum log file size (KB);ExpectedValue', '=', parameters('SetupSpecifyTheMaximumLogFileSizeKB'), + ',', 'System: Specify the maximum log file size (KB);ExpectedValue', '=', + parameters('SystemSpecifyTheMaximumLogFileSizeKB'), ',', 'Turn off Data Execution + Prevention for Explorer;ExpectedValue', '=', parameters('TurnOffDataExecutionPreventionForExplorer'), + ',', 'Specify the interval to check for definition updates;ExpectedValue', + '=', parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_WindowsComponents\"},\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},\"AllowIndexingOfEncryptedFiles\":{\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},\"AllowTelemetry\":{\"value\":\"[parameters('AllowTelemetry')]\"},\"AllowUnencryptedTraffic\":{\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},\"AlwaysInstallWithElevatedPrivileges\":{\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},\"AlwaysPromptForPasswordUponConnection\":{\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},\"ConfigureDefaultConsent\":{\"value\":\"[parameters('ConfigureDefaultConsent')]\"},\"ConfigureWindowsSmartScreen\":{\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},\"DisallowDigestAuthentication\":{\"value\":\"[parameters('DisallowDigestAuthentication')]\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},\"DoNotAllowPasswordsToBeSaved\":{\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},\"SetClientConnectionEncryptionLevel\":{\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},\"SetTheDefaultBehaviorForAutoRun\":{\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"SendFileSamplesWhenFurtherAnalysisIsRequired\":{\"type\":\"string\"},\"AllowIndexingOfEncryptedFiles\":{\"type\":\"string\"},\"AllowTelemetry\":{\"type\":\"string\"},\"AllowUnencryptedTraffic\":{\"type\":\"string\"},\"AlwaysInstallWithElevatedPrivileges\":{\"type\":\"string\"},\"AlwaysPromptForPasswordUponConnection\":{\"type\":\"string\"},\"ApplicationSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"AutomaticallySendMemoryDumpsForOSgeneratedErrorReports\":{\"type\":\"string\"},\"ConfigureDefaultConsent\":{\"type\":\"string\"},\"ConfigureWindowsSmartScreen\":{\"type\":\"string\"},\"DisallowDigestAuthentication\":{\"type\":\"string\"},\"DisallowWinRMFromStoringRunAsCredentials\":{\"type\":\"string\"},\"DoNotAllowPasswordsToBeSaved\":{\"type\":\"string\"},\"SecuritySpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"SetClientConnectionEncryptionLevel\":{\"type\":\"string\"},\"SetTheDefaultBehaviorForAutoRun\":{\"type\":\"string\"},\"SetupSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"SystemSpecifyTheMaximumLogFileSizeKB\":{\"type\":\"string\"},\"TurnOffDataExecutionPreventionForExplorer\":{\"type\":\"string\"},\"SpecifyTheIntervalToCheckForDefinitionUpdates\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Send + file samples when further analysis is required;ExpectedValue\",\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},{\"name\":\"Allow + indexing of encrypted files;ExpectedValue\",\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},{\"name\":\"Allow + Telemetry;ExpectedValue\",\"value\":\"[parameters('AllowTelemetry')]\"},{\"name\":\"Allow + unencrypted traffic;ExpectedValue\",\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},{\"name\":\"Always + install with elevated privileges;ExpectedValue\",\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},{\"name\":\"Always + prompt for password upon connection;ExpectedValue\",\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},{\"name\":\"Application: + Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Automatically + send memory dumps for OS-generated error reports;ExpectedValue\",\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},{\"name\":\"Configure + Default consent;ExpectedValue\",\"value\":\"[parameters('ConfigureDefaultConsent')]\"},{\"name\":\"Configure + Windows SmartScreen;ExpectedValue\",\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},{\"name\":\"Disallow + Digest authentication;ExpectedValue\",\"value\":\"[parameters('DisallowDigestAuthentication')]\"},{\"name\":\"Disallow + WinRM from storing RunAs credentials;ExpectedValue\",\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},{\"name\":\"Do + not allow passwords to be saved;ExpectedValue\",\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},{\"name\":\"Security: + Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Set + client connection encryption level;ExpectedValue\",\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},{\"name\":\"Set + the default behavior for AutoRun;ExpectedValue\",\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},{\"name\":\"Setup: + Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"System: + Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Turn + off Data Execution Prevention for Explorer;ExpectedValue\",\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},{\"name\":\"Specify + the interval to check for definition updates;ExpectedValue\",\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Send + file samples when further analysis is required;ExpectedValue\",\"value\":\"[parameters('SendFileSamplesWhenFurtherAnalysisIsRequired')]\"},{\"name\":\"Allow + indexing of encrypted files;ExpectedValue\",\"value\":\"[parameters('AllowIndexingOfEncryptedFiles')]\"},{\"name\":\"Allow + Telemetry;ExpectedValue\",\"value\":\"[parameters('AllowTelemetry')]\"},{\"name\":\"Allow + unencrypted traffic;ExpectedValue\",\"value\":\"[parameters('AllowUnencryptedTraffic')]\"},{\"name\":\"Always + install with elevated privileges;ExpectedValue\",\"value\":\"[parameters('AlwaysInstallWithElevatedPrivileges')]\"},{\"name\":\"Always + prompt for password upon connection;ExpectedValue\",\"value\":\"[parameters('AlwaysPromptForPasswordUponConnection')]\"},{\"name\":\"Application: + Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('ApplicationSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Automatically + send memory dumps for OS-generated error reports;ExpectedValue\",\"value\":\"[parameters('AutomaticallySendMemoryDumpsForOSgeneratedErrorReports')]\"},{\"name\":\"Configure + Default consent;ExpectedValue\",\"value\":\"[parameters('ConfigureDefaultConsent')]\"},{\"name\":\"Configure + Windows SmartScreen;ExpectedValue\",\"value\":\"[parameters('ConfigureWindowsSmartScreen')]\"},{\"name\":\"Disallow + Digest authentication;ExpectedValue\",\"value\":\"[parameters('DisallowDigestAuthentication')]\"},{\"name\":\"Disallow + WinRM from storing RunAs credentials;ExpectedValue\",\"value\":\"[parameters('DisallowWinRMFromStoringRunAsCredentials')]\"},{\"name\":\"Do + not allow passwords to be saved;ExpectedValue\",\"value\":\"[parameters('DoNotAllowPasswordsToBeSaved')]\"},{\"name\":\"Security: + Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SecuritySpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Set + client connection encryption level;ExpectedValue\",\"value\":\"[parameters('SetClientConnectionEncryptionLevel')]\"},{\"name\":\"Set + the default behavior for AutoRun;ExpectedValue\",\"value\":\"[parameters('SetTheDefaultBehaviorForAutoRun')]\"},{\"name\":\"Setup: + Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SetupSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"System: + Specify the maximum log file size (KB);ExpectedValue\",\"value\":\"[parameters('SystemSpecifyTheMaximumLogFileSizeKB')]\"},{\"name\":\"Turn + off Data Execution Prevention for Explorer;ExpectedValue\",\"value\":\"[parameters('TurnOffDataExecutionPreventionForExplorer')]\"},{\"name\":\"Specify + the interval to check for definition updates;ExpectedValue\",\"value\":\"[parameters('SpecifyTheIntervalToCheckForDefinitionUpdates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7040a231-fb65-4412-8c0a-b365f4866c24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7040a231-fb65-4412-8c0a-b365f4866c24\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1254 - Contingency Plan | Resume All Missions / Business Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1254\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/704e136a-4fe0-427c-b829-cd69957f5d2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"704e136a-4fe0-427c-b829-cd69957f5d2b\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'System Audit Policies + - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'System Audit Policies - System'. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7066131b-61a6-4917-a7e4-72e8983f0aa6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7066131b-61a6-4917-a7e4-72e8983f0aa6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1509 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1509\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/70792197-9bfc-4813-905a-bd33993e327f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"70792197-9bfc-4813-905a-bd33993e327f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1541 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1541\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/70f6af82-7be6-44aa-9b15-8b9231b2e434\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"70f6af82-7be6-44aa-9b15-8b9231b2e434\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1691 - Information System Monitoring | Automated Tools For + Real-Time Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1691\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/71475fb4-49bd-450b-a1a5-f63894c24725\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"71475fb4-49bd-450b-a1a5-f63894c24725\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1481 - Temperature And Humidity Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1481\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/717a1c78-a267-4f56-ac58-ee6c54dc4339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"717a1c78-a267-4f56-ac58-ee6c54dc4339\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1129 - Time Stamps | Synchronization With Authoritative Time + Source\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1129\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/71bb965d-4047-4623-afd4-b8189a58df5d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"71bb965d-4047-4623-afd4-b8189a58df5d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1395 - System Maintenance Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1395\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7207a023-a517-41c5-9df2-09d4c6845a05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7207a023-a517-41c5-9df2-09d4c6845a05\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs on which the DSC configuration is not + compliant\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows VMs on which the Desired State Configuration (DSC) configuration + is not compliant. This policy is only applicable to machines with WMF 4 and + above. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDscConfiguration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7227ebe5-9ff7-47ab-b823-171cd02fb90f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7227ebe5-9ff7-47ab-b823-171cd02fb90f\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Administrative Templates + - Network'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Administrative Templates - Network'. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesNetwork\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7229bd6a-693d-478a-87f0-1dc1af06f3b8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7229bd6a-693d-478a-87f0-1dc1af06f3b8\"},{\"properties\":{\"displayName\":\"Ensure + that 'Python version' is the latest, if used as a part of the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for Python software either due to security flaws + or to include additional functionality. Using the latest Python version for + Function apps is recommended in order to to take advantage of security fixes, + if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows + Latest Python version\",\"description\":\"Latest supported Python version + for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux + Latest Python version\",\"description\":\"Latest supported Python version + for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', + parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7238174a-fd10-4ef0-817e-fc820a951d73\"},{\"properties\":{\"displayName\":\"Ensure + that 'PHP version' is the latest, if used as a part of the WEB app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for PHP software either due to security flaws + or to include additional functionality. Using the latest PHP version for web + apps is recommended in order to to take advantage of security fixes, if any, + and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest + PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', + parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7261b898-8a84-4db8-9e04-18527132abb3\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that allow re-use of the previous + 24 passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that allow re-use of the previous 24 passwords. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"EnforcePasswordHistory\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"EnforcePasswordHistory\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/726671ac-c4de-4908-8c7d-6043ae62e3b6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"726671ac-c4de-4908-8c7d-6043ae62e3b6\"},{\"properties\":{\"displayName\":\"Add + a tag to resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Adds + the specified tag and value when any resource group missing this tag is created + or updated. Existing resource groups can be remediated by triggering a remediation + task. If the tag exists with a different value it will not be changed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/726aca4c-86e9-4b04-b0c5-073027359532\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"726aca4c-86e9-4b04-b0c5-073027359532\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1524 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1524\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/72f1cb4e-2439-4fe8-88ea-b8671ce3c268\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"72f1cb4e-2439-4fe8-88ea-b8671ce3c268\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1393 - Information Spillage Response | Exposure To Unauthorized + Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1393\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/731856d8-1598-4b75-92de-7d46235747c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"731856d8-1598-4b75-92de-7d46235747c0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1101 - Audit And Accountability Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1101\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7327b708-f0e0-457d-9d2a-527fcc9c9a65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7327b708-f0e0-457d-9d2a-527fcc9c9a65\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1456 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1456\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/733ba9e3-9e7c-440a-a7aa-6196a90a2870\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"733ba9e3-9e7c-440a-a7aa-6196a90a2870\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1581 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1581\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/742b549b-7a25-465f-b83c-ea1ffb4f4e0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"742b549b-7a25-465f-b83c-ea1ffb4f4e0e\"},{\"properties\":{\"displayName\":\"Allowed + storage account SKUs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy enables you to specify a set of storage account SKUs that your organization + can deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"listOfAllowedSKUs\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of SKUs that can be specified for storage accounts.\",\"displayName\":\"Allowed + SKUs\",\"strongType\":\"StorageSKUs\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/sku.name\",\"in\":\"[parameters('listOfAllowedSKUs')]\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7433c107-6db4-4ad1-b57a-a76dce0154a1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7433c107-6db4-4ad1-b57a-a76dce0154a1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1631 - Boundary Protection | Deny By Default / Allow By Exception\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1631\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/74ae9b8e-e7bb-4c9c-992f-c535282f7a2c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"74ae9b8e-e7bb-4c9c-992f-c535282f7a2c\"},{\"properties\":{\"displayName\":\"Ensure + that 'Python version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for Python software either due to security flaws + or to include additional functionality. Using the latest Python version for + Api apps is recommended in order to to take advantage of security fixes, if + any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"WindowsPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Windows + Latest Python version\",\"description\":\"Latest supported Python version + for App Services\"},\"defaultValue\":\"3.6\"},\"LinuxPythonLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Linux + Latest Python version\",\"description\":\"Latest supported Python version + for App Services\"},\"defaultValue\":\"3.8\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PYTHON\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PYTHON|', + parameters('LinuxPythonLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.pythonVersion\",\"equals\":\"[parameters('WindowsPythonLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/74c3584d-afae-46f7-a20a-6f8adba71a16\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"74c3584d-afae-46f7-a20a-6f8adba71a16\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1417 - Nonlocal Maintenance | Comparable Security / Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1417\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7522ed84-70d5-4181-afc0-21e50b1b6d0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7522ed84-70d5-4181-afc0-21e50b1b6d0e\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit enabling of diagnostic logs in App Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + enabling of diagnostic logs on the app. This enables you to recreate activity + trails for investigation purposes if a security incident occurs or your network + is compromised\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"App + Service\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites/config\"},{\"field\":\"name\",\"equals\":\"web\"},{\"anyOf\":[{\"field\":\"Microsoft.Web/sites/config/detailedErrorLoggingEnabled\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/httpLoggingEnabled\",\"notEquals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/requestTracingEnabled\",\"notEquals\":\"true\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/752c6934-9bcc-4749-b004-655e676ae2ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"752c6934-9bcc-4749-b004-655e676ae2ac\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1468 - Visitor Access Records | Automated Records Maintenance + / Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1468\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/75603f96-80a1-4757-991d-5a1221765ddd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"75603f96-80a1-4757-991d-5a1221765ddd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1053 - Session Lock | Pattern-Hiding Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1053\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7582b19c-9dba-438e-aed8-ede59ac35ba3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7582b19c-9dba-438e-aed8-ede59ac35ba3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1459 - Access Control For Transmission Medium\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1459\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"75cc73c7-5cdb-479d-a06f-7b4d0dbb1da0\"},{\"properties\":{\"displayName\":\"Vulnerabilities + should be remediated by a Vulnerability Assessment solution\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Monitors + vulnerabilities detected by Vulnerability Assessment solution and VMs without + a Vulnerability Assessment solution in Azure Security Center as recommendations.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"vulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/760a85ff-6162-42b3-8d70-698e268f648c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"760a85ff-6162-42b3-8d70-698e268f648c\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Dependency Agent for Linux VM Scale Sets (VMSS)\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Dependency Agent for Linux VM Scale Sets if the VM Image (OS) is in the list + defined and the agent is not installed. Note: if your scale set upgradePolicy + is set to Manual, you need to apply the extension to the all VMs in the set + by calling upgrade on them. In CLI this would be az vmss update-instances.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"listOfImageIdToInclude\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude')]\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"CentOS\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c\"],\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"DependencyAgentLinux\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"vmExtensionName\":\"DependencyAgent\",\"vmExtensionPublisher\":\"Microsoft.Azure.Monitoring.DependencyAgent\",\"vmExtensionType\":\"DependencyAgentLinux\",\"vmExtensionTypeHandlerVersion\":\"9.7\"},\"resources\":[{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"name\":\"[concat(parameters('vmName'), + '/', variables('vmExtensionName'))]\",\"apiVersion\":\"2018-06-01\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"[variables('vmExtensionPublisher')]\",\"type\":\"[variables('vmExtensionType')]\",\"typeHandlerVersion\":\"[variables('vmExtensionTypeHandlerVersion')]\",\"autoUpgradeMinorVersion\":true}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + extension for: ', parameters('vmName'))]\"}}},\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/765266ab-e40e-4c61-bcb2-5a5275d0b7c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"765266ab-e40e-4c61-bcb2-5a5275d0b7c0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1055 - Session Termination| User-Initiated Logouts / Message + Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1055\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/769efd9b-3587-4e22-90ce-65ddcd5bd969\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"769efd9b-3587-4e22-90ce-65ddcd5bd969\"},{\"properties\":{\"displayName\":\"Audit + delegation of scopes to a managing tenant\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + delegation of scopes to a managing tenant via Azure Lighthouse.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Lighthouse\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ManagedServices/registrationAssignments\"},{\"value\":\"true\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76bed37b-484f-430f-a009-fd7592dff818\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76bed37b-484f-430f-a009-fd7592dff818\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1058 - Permitted Actions Without Identification Or Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1058\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76e85d08-8fbb-4112-a1c1-93521e6a9254\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76e85d08-8fbb-4112-a1c1-93521e6a9254\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1508 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1508\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/76f500cc-4bca-4583-bda1-6d084dc21086\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"76f500cc-4bca-4583-bda1-6d084dc21086\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1423 - Maintenance Personnel | Individuals Without Appropriate + Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1423\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7741669e-d4f6-485a-83cb-e70ce7cbbc20\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7741669e-d4f6-485a-83cb-e70ce7cbbc20\"},{\"properties\":{\"displayName\":\"Azure + subscriptions should have a log profile for Activity Log\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy ensures if a log profile is enabled for exporting activity logs. It + audits if there is no log profile created to export the logs either to a storage + account or to an event hub.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"field\":\"Microsoft.Insights/logProfiles/categories\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7796937f-307b-4598-941c-67d3a05ebfe7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7796937f-307b-4598-941c-67d3a05ebfe7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1336 - Authenticator Management | Pki-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1336\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/77f56280-e367-432a-a3b9-8ca2aa636a26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"77f56280-e367-432a-a3b9-8ca2aa636a26\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1258 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1258\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7814506c-382c-4d33-a142-249dd4a0dbff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7814506c-382c-4d33-a142-249dd4a0dbff\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1178 - Baseline Configuration | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1178\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7818b8f4-47c6-441a-90ae-12ce04e99893\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7818b8f4-47c6-441a-90ae-12ce04e99893\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1057 - Permitted Actions Without Identification Or Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1057\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/78255758-6d45-4bf0-a005-7016bc03b13c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"78255758-6d45-4bf0-a005-7016bc03b13c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1700 - Information System Monitoring | Unauthorized Network + Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1700\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7831b4ba-c3f4-4cb1-8c11-ef8d59438cd5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1010 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1010\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/784663a8-1eb0-418a-a98c-24d19bc1bb62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"784663a8-1eb0-418a-a98c-24d19bc1bb62\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1216 - Least Functionality | Periodic Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1216\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7894fe6a-f5cb-44c8-ba90-c3f254ff9484\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7894fe6a-f5cb-44c8-ba90-c3f254ff9484\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1639 - Boundary Protection | Isolation Of Information System + Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1639\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/78e8e649-50f6-4fe3-99ac-fedc2e63b03f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"78e8e649-50f6-4fe3-99ac-fedc2e63b03f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1647 - Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1647\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/791cfc15-6974-42a0-9f4c-2d4b82f4a78c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"791cfc15-6974-42a0-9f4c-2d4b82f4a78c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1510 - Position Risk Designation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1510\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/79da5b09-0e7e-499e-adda-141b069c7998\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"79da5b09-0e7e-499e-adda-141b069c7998\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1384 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1384\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/79fbc228-461c-4a45-9004-a865ca0728a7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"79fbc228-461c-4a45-9004-a865ca0728a7\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows Server VMs on which Windows Serial Console + is not enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows Server virtual + machines on which Windows Serial Console is not enabled. It also creates a + system-assigned managed identity and deploys the VM extension for Guest Configuration. + This policy should only be used along with its corresponding audit policy + in an initiative. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"EMSPortNumber\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"EMS + Port Number\",\"description\":\"An integer indicating the COM port to be used + for the Emergency Management Services (EMS) console redirection. For more + information on EMS settings, please visit https://aka.ms/gcpolwsc\"},\"allowedValues\":[\"1\",\"2\",\"3\",\"4\"],\"defaultValue\":\"1\"},\"EMSBaudRate\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"EMS + Baud Rate\",\"description\":\"An integer indicating the baud rate to be used + for the Emergency Management Services (EMS) console redirection. For more + information on EMS settings, please visit https://aka.ms/gcpolwsc\"},\"allowedValues\":[\"9600\",\"19200\",\"38400\",\"57600\",\"115200\"],\"defaultValue\":\"115200\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsSerialConsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber', + '=', parameters('EMSPortNumber'), ',', '[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate', + '=', parameters('EMSBaudRate')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsSerialConsole\"},\"EMSPortNumber\":{\"value\":\"[parameters('EMSPortNumber')]\"},\"EMSBaudRate\":{\"value\":\"[parameters('EMSBaudRate')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EMSPortNumber\":{\"type\":\"string\"},\"EMSBaudRate\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber\",\"value\":\"[parameters('EMSPortNumber')]\"},{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate\",\"value\":\"[parameters('EMSBaudRate')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSPortNumber\",\"value\":\"[parameters('EMSPortNumber')]\"},{\"name\":\"[WindowsSerialConsole]WindowsSerialConsole;EMSBaudRate\",\"value\":\"[parameters('EMSBaudRate')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a031c68-d6ab-406e-a506-697a19c634b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a031c68-d6ab-406e-a506-697a19c634b0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1093 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1093\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a0bdeeb-15f4-47e8-a1da-9f769f845fdf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a0bdeeb-15f4-47e8-a1da-9f769f845fdf\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1708 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1708\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a1e2c88-13de-4959-8ee7-47e3d74f1f48\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a1e2c88-13de-4959-8ee7-47e3d74f1f48\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1289 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1289\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a724864-956a-496c-b778-637cb1d762cf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a724864-956a-496c-b778-637cb1d762cf\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1687 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1687\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7a87fc7f-301e-49f3-ba2a-4d74f424fa97\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7a87fc7f-301e-49f3-ba2a-4d74f424fa97\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1061 - Remote Access | Automated Monitoring / Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1061\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ac22808-a2e8-41c4-9d46-429b50738914\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ac22808-a2e8-41c4-9d46-429b50738914\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1492 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1492\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ad5f307-e045-46f7-8214-5bdb7e973737\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ad5f307-e045-46f7-8214-5bdb7e973737\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1636 - Boundary Protection | Isolation Of Security Tools / + Mechanisms / Support Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1636\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7b694eed-7081-43c6-867c-41c76c961043\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7b694eed-7081-43c6-867c-41c76c961043\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Virtual Machine Scale Sets should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + is recommended to enable Logs so that activity trail can be recreated when + investigations are required in the event of an incident or a compromise.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"IaaSDiagnostics\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Diagnostics\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"equals\":\"LinuxDiagnostic\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"in\":[\"Microsoft.OSTCExtensions\",\"Microsoft.Azure.Diagnostics\"]}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c1b1214-f927-48bf-8882-84f0af6588b1\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Require blob encryption for storage accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy ensures blob encryption for storage accounts is turned on. It only + applies to Microsoft.Storage resource types, not other storage providers. + This policy is deprecated because storage blob encryption is now enabled by + default, and can no longer be disabled.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Storage\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/enableBlobEncryption\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c5a74bf-ae94-4a74-8fcf-644d1e0e6e6f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1143 - Security Assessment And Authorization Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1143\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7c6de11b-5f51-4f7c-8d83-d2467c8a816e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7c6de11b-5f51-4f7c-8d83-d2467c8a816e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1051 - Session Lock\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1051\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7cac6ee9-b58b-40c8-a5ce-f0efc3d9b339\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1279 - Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1279\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7d00bcd6-963d-4c02-ad8e-b45fa50bf3b0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1109 - Content Of Audit Records | Centralized Management Of + Planned Audit Record Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1109\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7d9ffa23-ad92-4d0d-b1f4-7db274cc2aec\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1201 - Security Impact Analysis | Separate Test Environments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1201\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7daef997-fdd3-461b-8807-a608a6dd70f1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7daef997-fdd3-461b-8807-a608a6dd70f1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1471 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1471\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7dd0e9ce-1772-41fb-a50a-99977071f916\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7dd0e9ce-1772-41fb-a50a-99977071f916\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that have the specified applications installed. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"NotInstalledApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e56b49b-5990-4159-a734-511ea19b731c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e56b49b-5990-4159-a734-511ea19b731c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1011 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1011\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e6a54f3-883f-43d5-87c4-172dfd64a1f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e6a54f3-883f-43d5-87c4-172dfd64a1f5\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that have not restarted within the specified + number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that have not restarted within the specified + number of days. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MachineLastBootUpTime\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7e84ba44-6d03-46fd-950e-5efa5a1112fa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7e84ba44-6d03-46fd-950e-5efa5a1112fa\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1692 - Information System Monitoring | Inbound And Outbound + Communications Traffic\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1692\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ecda928-9df4-4dd7-8f44-641a91e470e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ecda928-9df4-4dd7-8f44-641a91e470e8\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that do not have the password complexity + setting enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that do not have the password complexity setting enabled. It also creates + a system-assigned managed identity and deploys the VM extension for Guest + Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordMustMeetComplexityRequirements\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordMustMeetComplexityRequirements\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ed40801-8a0f-4ceb-85c0-9fd25c1d61a8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1191 - Configuration Change Control | Automated Document / + Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1191\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f26a61b-a74d-467c-99cf-63644db144f7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f26a61b-a74d-467c-99cf-63644db144f7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1520 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1520\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f2c513b-eb16-463b-b469-c10e5fa94f0a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f2c513b-eb16-463b-b469-c10e5fa94f0a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1126 - Audit Reduction And Report Generation | Automatic Processing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1126\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f37f71b-420f-49bf-9477-9c0196974ecf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f37f71b-420f-49bf-9477-9c0196974ecf\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'System Audit Policies + - Privilege Use'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'System Audit Policies - Privilege Use'. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f4e96d1-e4f3-4dbb-b767-33ca4df8df7c\"},{\"properties\":{\"displayName\":\"Audit + diagnostic setting\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + diagnostic setting for selected resource types\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"listOfResourceTypes\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource + Types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypes')]\"},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7f89b1eb-583c-429a-8828-af049802c1d9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1117 - Audit Review, Analysis, And Reporting | Process Integration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1117\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7fbfe680-6dbb-4037-963c-a621c5635902\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7fbfe680-6dbb-4037-963c-a621c5635902\"},{\"properties\":{\"displayName\":\"SQL + Auditing settings should have Action-Groups configured to capture critical + activities\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"The + AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, + FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough + audit logging\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP\"}},{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"FAILED_DATABASE_AUTHENTICATION_GROUP\"}},{\"not\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/auditActionsAndGroups[*]\",\"notEquals\":\"BATCH_COMPLETED_GROUP\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ff426e2-515f-405a-91c8-4f2333442eb5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1703 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1703\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/804faf7d-b687-40f7-9f74-79e28adf4205\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"804faf7d-b687-40f7-9f74-79e28adf4205\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1303 - Identification And Authentication (Org. Users) | Local + Access To Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1303\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/80ca0a27-918a-4604-af9e-723a27ee51e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"80ca0a27-918a-4604-af9e-723a27ee51e8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1505 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1505\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/813a10a7-3943-4fe3-8678-00dc52db5490\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"813a10a7-3943-4fe3-8678-00dc52db5490\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1614 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1614\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8154e3b3-cc52-40be-9407-7756581d71f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8154e3b3-cc52-40be-9407-7756581d71f6\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'User Rights Assignment'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'User Rights Assignment'. + It also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may access this computer from the network\",\"description\":\"Specifies + which remote users on the network are permitted to connect to the computer. + This does not include Remote Desktop Connection.\"},\"defaultValue\":\"Administrators, + Authenticated Users\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may log on locally\",\"description\":\"Specifies which + users or groups can interactively log on to the computer. Users who attempt + to log on via Remote Desktop Connection or IIS also require this user right.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may log on through Remote Desktop Services\",\"description\":\"Specifies + which users or groups are permitted to log on as a Terminal Services client, + Remote Desktop, or for Remote Assistance.\"},\"defaultValue\":\"Administrators, + Remote Desktop Users\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users and groups that are denied access to this computer from the network\",\"description\":\"Specifies + which users or groups are explicitly prohibited from connecting to the computer + across the network.\"},\"defaultValue\":\"Guests\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may manage auditing and security log\",\"description\":\"Specifies + users and groups permitted to change the auditing options for files and directories + and clear the Security log.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may back up files and directories\",\"description\":\"Specifies + users and groups allowed to circumvent file and directory permissions to back + up the system.\"},\"defaultValue\":\"Administrators, Backup Operators\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may change the system time\",\"description\":\"Specifies + which users and groups are permitted to change the time and date on the internal + clock of the computer.\"},\"defaultValue\":\"Administrators, LOCAL SERVICE\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may change the time zone\",\"description\":\"Specifies + which users and groups are permitted to change the time zone of the computer.\"},\"defaultValue\":\"Administrators, + LOCAL SERVICE\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may create a token object\",\"description\":\"Specifies + which users and groups are permitted to create an access token, which may + provide elevated rights to access sensitive data.\"},\"defaultValue\":\"No + One\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users and groups that are denied logging on as a batch job\",\"description\":\"Specifies + which users and groups are explicitly not permitted to log on to the computer + as a batch job (i.e. scheduled task).\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users and groups that are denied logging on as a service\",\"description\":\"Specifies + which service accounts are explicitly not permitted to register a process + as a service.\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users and groups that are denied local logon\",\"description\":\"Specifies + which users and groups are explicitly not permitted to log on to the computer.\"},\"defaultValue\":\"Guests\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users and groups that are denied log on through Remote Desktop Services\",\"description\":\"Specifies + which users and groups are explicitly not permitted to log on to the computer + via Terminal Services/Remote Desktop Client.\"},\"defaultValue\":\"Guests\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + User and groups that may force shutdown from a remote system\",\"description\":\"Specifies + which users and groups are permitted to shut down the computer from a remote + location on the network.\"},\"defaultValue\":\"Administrators\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users and groups that may restore files and directories\",\"description\":\"Specifies + which users and groups are permitted to bypass file, directory, registry, + and other persistent object permissions when restoring backed up files and + directories.\"},\"defaultValue\":\"Administrators, Backup Operators\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users and groups that may shut down the system\",\"description\":\"Specifies + which users and groups who are logged on locally to the computers in your + environment are permitted to shut down the operating system with the Shut + Down command.\"},\"defaultValue\":\"Administrators\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Users or groups that may take ownership of files or other objects\",\"description\":\"Specifies + which users and groups are permitted to take ownership of files, folders, + registry keys, processes, or threads. This user right bypasses any permissions + that are in place to protect objects to give ownership to the specified user.\"},\"defaultValue\":\"Administrators\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_UserRightsAssignment\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Access + this computer from the network;ExpectedValue', '=', parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork'), + ',', 'Allow log on locally;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnLocally'), + ',', 'Allow log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices'), + ',', 'Deny access to this computer from the network;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork'), + ',', 'Manage auditing and security log;ExpectedValue', '=', parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog'), + ',', 'Back up files and directories;ExpectedValue', '=', parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories'), + ',', 'Change the system time;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheSystemTime'), + ',', 'Change the time zone;ExpectedValue', '=', parameters('UsersOrGroupsThatMayChangeTheTimeZone'), + ',', 'Create a token object;ExpectedValue', '=', parameters('UsersOrGroupsThatMayCreateATokenObject'), + ',', 'Deny log on as a batch job;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob'), + ',', 'Deny log on as a service;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService'), + ',', 'Deny log on locally;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLocalLogon'), + ',', 'Deny log on through Remote Desktop Services;ExpectedValue', '=', parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices'), + ',', 'Force shutdown from a remote system;ExpectedValue', '=', parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem'), + ',', 'Restore files and directories;ExpectedValue', '=', parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories'), + ',', 'Shut down the system;ExpectedValue', '=', parameters('UsersAndGroupsThatMayShutDownTheSystem'), + ',', 'Take ownership of files or other objects;ExpectedValue', '=', parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_UserRightsAssignment\"},\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"UsersOrGroupsThatMayAccessThisComputerFromTheNetwork\":{\"type\":\"string\"},\"UsersOrGroupsThatMayLogOnLocally\":{\"type\":\"string\"},\"UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork\":{\"type\":\"string\"},\"UsersOrGroupsThatMayManageAuditingAndSecurityLog\":{\"type\":\"string\"},\"UsersOrGroupsThatMayBackUpFilesAndDirectories\":{\"type\":\"string\"},\"UsersOrGroupsThatMayChangeTheSystemTime\":{\"type\":\"string\"},\"UsersOrGroupsThatMayChangeTheTimeZone\":{\"type\":\"string\"},\"UsersOrGroupsThatMayCreateATokenObject\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLoggingOnAsAService\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLocalLogon\":{\"type\":\"string\"},\"UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices\":{\"type\":\"string\"},\"UserAndGroupsThatMayForceShutdownFromARemoteSystem\":{\"type\":\"string\"},\"UsersAndGroupsThatMayRestoreFilesAndDirectories\":{\"type\":\"string\"},\"UsersAndGroupsThatMayShutDownTheSystem\":{\"type\":\"string\"},\"UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Access + this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},{\"name\":\"Allow + log on locally;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},{\"name\":\"Allow + log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Deny + access to this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},{\"name\":\"Manage + auditing and security log;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},{\"name\":\"Back + up files and directories;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},{\"name\":\"Change + the system time;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},{\"name\":\"Change + the time zone;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},{\"name\":\"Create + a token object;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},{\"name\":\"Deny + log on as a batch job;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},{\"name\":\"Deny + log on as a service;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},{\"name\":\"Deny + log on locally;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},{\"name\":\"Deny + log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Force + shutdown from a remote system;ExpectedValue\",\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},{\"name\":\"Restore + files and directories;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},{\"name\":\"Shut + down the system;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},{\"name\":\"Take + ownership of files or other objects;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Access + this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayAccessThisComputerFromTheNetwork')]\"},{\"name\":\"Allow + log on locally;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnLocally')]\"},{\"name\":\"Allow + log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Deny + access to this computer from the network;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedAccessToThisComputerFromTheNetwork')]\"},{\"name\":\"Manage + auditing and security log;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayManageAuditingAndSecurityLog')]\"},{\"name\":\"Back + up files and directories;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayBackUpFilesAndDirectories')]\"},{\"name\":\"Change + the system time;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheSystemTime')]\"},{\"name\":\"Change + the time zone;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayChangeTheTimeZone')]\"},{\"name\":\"Create + a token object;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayCreateATokenObject')]\"},{\"name\":\"Deny + log on as a batch job;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsABatchJob')]\"},{\"name\":\"Deny + log on as a service;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLoggingOnAsAService')]\"},{\"name\":\"Deny + log on locally;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLocalLogon')]\"},{\"name\":\"Deny + log on through Remote Desktop Services;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatAreDeniedLogOnThroughRemoteDesktopServices')]\"},{\"name\":\"Force + shutdown from a remote system;ExpectedValue\",\"value\":\"[parameters('UserAndGroupsThatMayForceShutdownFromARemoteSystem')]\"},{\"name\":\"Restore + files and directories;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayRestoreFilesAndDirectories')]\"},{\"name\":\"Shut + down the system;ExpectedValue\",\"value\":\"[parameters('UsersAndGroupsThatMayShutDownTheSystem')]\"},{\"name\":\"Take + ownership of files or other objects;ExpectedValue\",\"value\":\"[parameters('UsersOrGroupsThatMayTakeOwnershipOfFilesOrOtherObjects')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/815dcc9f-6662-43f2-9a03-1b83e9876f24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"815dcc9f-6662-43f2-9a03-1b83e9876f24\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1308 - Identification And Authentication (Org. Users) | Remote + Access - Separate Device\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1308\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/81817e1c-5347-48dd-965a-40159d008229\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"81817e1c-5347-48dd-965a-40159d008229\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1287 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1287\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/819dc6da-289d-476e-8500-7e341ef8677d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"819dc6da-289d-476e-8500-7e341ef8677d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1213 - Configuration Settings | Respond To Unauthorized Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1213\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/81f11e32-a293-4a58-82cd-134af52e2318\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"81f11e32-a293-4a58-82cd-134af52e2318\"},{\"properties\":{\"displayName\":\"Geo-redundant + backup should be enabled for Azure Database for MySQL\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Azure Database for MySQL with geo-redundant backup not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMySQL/servers\"},{\"field\":\"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82339799-d096-41ae-8538-b108becf0970\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1168 - Continuous Monitoring | Independent Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1168\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82409f9e-1f32-4775-bf07-b99d53a91b06\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82409f9e-1f32-4775-bf07-b99d53a91b06\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1448 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1448\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/825d6494-e583-42f2-a3f2-6458e6f0004f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"825d6494-e583-42f2-a3f2-6458e6f0004f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1452 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1452\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/82c76455-4d3f-4e09-a654-22e592107e74\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"82c76455-4d3f-4e09-a654-22e592107e74\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1262 - Contingency Plan Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1262\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/831e510e-db41-4c72-888e-a0621ab62265\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"831e510e-db41-4c72-888e-a0621ab62265\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1008 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1008\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8356cfc6-507a-4d20-b818-08038011cd07\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8356cfc6-507a-4d20-b818-08038011cd07\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Event Hub should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Event + Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"83a214f7-d01a-484b-91a9-ed54470c9a6a\"},{\"properties\":{\"displayName\":\"Network + interfaces should not have public IPs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy denies the network interfaces which are configured with any public + IP. Public IP addresses allow internet resources to communicate inbound to + Azure resources, and Azure resources to communicate outbound to the internet. + This should be reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"not\":{\"field\":\"Microsoft.Network/networkInterfaces/ipconfigurations[*].publicIpAddress.id\",\"notLike\":\"*\"}}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"83a86a26-fd1f-447c-b59d-e51f44264114\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1382 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1382\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/841392b3-40da-4473-b328-4cde49db67b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"841392b3-40da-4473-b328-4cde49db67b3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1098 - Security Training Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1098\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84363adb-dde3-411a-9fc1-36b56737f822\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84363adb-dde3-411a-9fc1-36b56737f822\"},{\"properties\":{\"displayName\":\"Ensure + that '.Net Framework' version is the latest, if used as a part of the Web + app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for .Net Framework software either due to security + flaws or to include additional functionality. Using the latest .Net framework + version for web apps is recommended in order to to take advantage of security + fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/843664e0-7563-41ee-a9cb-7522c382d2c4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"843664e0-7563-41ee-a9cb-7522c382d2c4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1119 - Audit Review, Analysis, And Reporting | Central Review + And Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1119\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/845f6359-b764-4b40-b579-657aefe23c44\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"845f6359-b764-4b40-b579-657aefe23c44\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1024 - Account Management | Account Monitoring / Atypical + Usage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1024\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84914fb4-12da-4c53-a341-a9fd463bed10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84914fb4-12da-4c53-a341-a9fd463bed10\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1307 - Identification And Authentication (Org. Users) | Net. + Access To Non-Priv. Accts. - Replay\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1307\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/84e622c8-4bed-417c-84c6-b2fb0dd73682\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"84e622c8-4bed-417c-84c6-b2fb0dd73682\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1080 - Use Of External Information Systems | Portable Storage + Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1080\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/852981b4-a380-4704-aa1e-2e52d63445e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"852981b4-a380-4704-aa1e-2e52d63445e5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1580 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1580\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/854db8ac-6adf-42a0-bef3-b73f764f40b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"854db8ac-6adf-42a0-bef3-b73f764f40b9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1348 - Identification And Authentication (Non-Org. Users) + | Acceptance Of Third-Party Credentials\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1348\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/855ced56-417b-4d74-9d5f-dd1bc81e22d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"855ced56-417b-4d74-9d5f-dd1bc81e22d6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1079 - Use Of External Information Systems | Limits On Authorized + Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1079\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/85c32733-7d23-4948-88da-058e2c56b60f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"85c32733-7d23-4948-88da-058e2c56b60f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1326 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1326\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8605fc00-1bf5-4fb3-984e-c95cec4f231d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8605fc00-1bf5-4fb3-984e-c95cec4f231d\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Microsoft Network Server'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Microsoft Network Server'. It also creates a system-assigned managed identity + and deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkServer\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86880e5c-df35-43c5-95ad-7e120635775e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86880e5c-df35-43c5-95ad-7e120635775e\"},{\"properties\":{\"displayName\":\"Deploy + SQL DB transparent data encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enables + transparent data encryption on SQL databases\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},{\"field\":\"name\",\"notEquals\":\"master\"}]},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/transparentDataEncryption.status\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"fullDbName\":{\"type\":\"string\"}},\"resources\":[{\"name\":\"[concat(parameters('fullDbName'), + '/current')]\",\"type\":\"Microsoft.Sql/servers/databases/transparentDataEncryption\",\"apiVersion\":\"2014-04-01\",\"properties\":{\"status\":\"Enabled\"}}]},\"parameters\":{\"fullDbName\":{\"value\":\"[field('fullName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86a912f6-9a06-4e26-b447-11b16ba8659f\"},{\"properties\":{\"displayName\":\"System + updates should be installed on your machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Missing + security system updates on your servers will be monitored by Azure Security + Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"systemUpdates\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86b3d65f-7626-441e-b690-81a8b71cff60\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1507 - Personnel Security Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1507\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86ccd1bf-e7ad-4851-93ce-6ec817469c1e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86ccd1bf-e7ad-4851-93ce-6ec817469c1e\"},{\"properties\":{\"displayName\":\"Ensure + that Register with Azure Active Directory is enabled on API app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + service identity in App Service makes the app more secure by eliminating secrets + from the app, such as credentials in the connection strings. When registering + with Azure Active Directory in the app service, the app will connect to other + Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86d97760-d216-4d81-a3ad-163087b2b6c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86d97760-d216-4d81-a3ad-163087b2b6c3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1392 - Information Spillage Response | Post-Spill Operations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1392\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86dc819f-15e1-43f9-a271-41ae58d4cecc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86dc819f-15e1-43f9-a271-41ae58d4cecc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1589 - External Information System Services | Risk Assessments + / Organizational Approvals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1589\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/86ec7f9b-9478-40ff-8cfd-6a0d510081a8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"86ec7f9b-9478-40ff-8cfd-6a0d510081a8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1207 - Access Restrictions For Change | Limit Production / + Operational Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1207\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8713a0ed-0d1e-4d10-be82-83dffb39830e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8713a0ed-0d1e-4d10-be82-83dffb39830e\"},{\"properties\":{\"displayName\":\"Require + specified tag\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enforces + existence of a tag. Does not apply to resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/871b6d14-10aa-478d-b590-94f262ecfa99\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"871b6d14-10aa-478d-b590-94f262ecfa99\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1180 - Baseline Configuration | Automation Support For Accuracy + / Currency\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1180\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/874e7880-a067-42a7-bcbe-1a340f54c8cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"874e7880-a067-42a7-bcbe-1a340f54c8cc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1635 - Boundary Protection | Host-Based Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1635\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87551b5d-1deb-4d0f-86cc-9dc14cb4bf7e\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Administrative Templates + - Control Panel'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Administrative Templates - Control Panel'. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesControlPanel\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87b590fe-4a1d-4697-ae74-d4fe72ab786c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87b590fe-4a1d-4697-ae74-d4fe72ab786c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1293 - Information System Backup | Separate Storage For Critical + Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1293\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/87f7cd82-2e45-4d0f-9e2f-586b0962d142\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"87f7cd82-2e45-4d0f-9e2f-586b0962d142\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1440 - Media Sanitization | Review / Approve / Track / Document + / Verify\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1440\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/881299bf-2a5b-4686-a1b2-321d33679953\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"881299bf-2a5b-4686-a1b2-321d33679953\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1356 - Incident Response Training | Simulated Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1356\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8829f8f5-e8be-441e-85c9-85b72a5d0ef3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8829f8f5-e8be-441e-85c9-85b72a5d0ef3\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Linux VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Linux virtual machines + that have the specified applications installed. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application + names\",\"description\":\"A semicolon-separated list of the names of the applications + that should not be installed. e.g. 'python; powershell'\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"not_installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent', + '=', concat('packages: [', replace(parameters('ApplicationName'), ';', ','), + ']')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"not_installed_application_linux\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: + [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[ChefInSpec]NotInstalledApplicationLinuxResource1;AttributesYmlContent\",\"value\":\"[concat('packages: + [', replace(parameters('ApplicationName'), ';', ','), ']')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/884b209a-963b-4520-8006-d20cb3c213e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"884b209a-963b-4520-8006-d20cb3c213e0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1317 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1317\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8877f519-c166-47b7-81b7-8a8eb4ff3775\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8877f519-c166-47b7-81b7-8a8eb4ff3775\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1501 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1501\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88817b58-8472-4f6c-81fa-58ce42b67f51\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88817b58-8472-4f6c-81fa-58ce42b67f51\"},{\"properties\":{\"displayName\":\"Ensure + that 'Java version' is the latest, if used as a part of the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for Java either due to security flaws or to include + additional functionality. Using the latest Python version for Api apps is + recommended in order to to take advantage of security fixes, if any, and/or + new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest + Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', + parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), + '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88999f4c-376a-45c8-bcb3-4058f713cf39\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88999f4c-376a-45c8-bcb3-4058f713cf39\"},{\"properties\":{\"displayName\":\"Network + interfaces should disable IP forwarding\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy denies the network interfaces which enabled IP forwarding. The setting + of IP forwarding disables Azure's check of the source and destination for + a network interface. This should be reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"field\":\"Microsoft.Network/networkInterfaces/enableIpForwarding\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88c0b9da-ce96-4b03-9635-f29a937e2900\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1215 - Least Functionality\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1215\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/88fc93e8-4745-4785-b5a5-b44bb92c44ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"88fc93e8-4745-4785-b5a5-b44bb92c44ff\"},{\"properties\":{\"displayName\":\"SQL + servers should be configured with auditing retention days greater than 90 + days.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + SQL servers configured with an auditing retention period of less than 90 days.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/auditingSettings/retentionDays\",\"greater\":90}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"89099bee-89e0-4b26-a5f4-165451757743\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1411 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1411\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/898d4fe8-f743-4333-86b7-0c9245d93e7d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"898d4fe8-f743-4333-86b7-0c9245d93e7d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1092 - Security Awareness Training | Insider Threat\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1092\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8a29d47b-8604-4667-84ef-90d203fcb305\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8a29d47b-8604-4667-84ef-90d203fcb305\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + System settings'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - System settings'. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsSystemsettings\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8a39d1f1-5513-4628-b261-f469a5a3341b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8a39d1f1-5513-4628-b261-f469a5a3341b\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs with a pending reboot\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with a pending reboot. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPendingReboot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b0de57a-f511-4d45-a277-17cb79cb163b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b0de57a-f511-4d45-a277-17cb79cb163b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1534 - Personnel Sanctions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1534\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b2b263e-cd05-4488-bcbf-4debec7a17d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b2b263e-cd05-4488-bcbf-4debec7a17d9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1170 - Penetration Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1170\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8b78b9b3-ee3c-48e0-a243-ed6dba5b7a12\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Windows Firewall Properties'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Windows Firewall Properties'. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsFirewallProperties\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8bbd627e-4d25-4906-9a6e-3789780af3ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8bbd627e-4d25-4906-9a6e-3789780af3ec\"},{\"properties\":{\"displayName\":\"Ensure + that 'HTTP Version' is the latest, if used to run the Web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + service identity in App Service makes the app more secure by eliminating secrets + from the app, such as credentials in the connection strings. When registering + with Azure Active Directory in the app service, the app will connect to other + Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"Equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c122334-9d20-4eb8-89ea-ac9a705b74ae\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1458 - Physical Access Control | Information System Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1458\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c19ceb7-56e9-4488-8ddb-b1eb3aa6d203\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1683 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1683\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8c79fee4-88dd-44ce-bbd4-4de88948c4f8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8c79fee4-88dd-44ce-bbd4-4de88948c4f8\"},{\"properties\":{\"displayName\":\"Latest + TLS version should be used in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade + to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8cb6aa8b-9e41-4f4e-aa25-089a7ac2581e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1316 - Identifier Management | Identify User Status\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1316\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ce14753-66e5-465d-9841-26ef55c09c0d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ce14753-66e5-465d-9841-26ef55c09c0d\"},{\"properties\":{\"displayName\":\"Require + tag and its value on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enforces + a required tag and its value on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ce3da23-7156-49e4-b145-24f95f9dcb46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ce3da23-7156-49e4-b145-24f95f9dcb46\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1324 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1324\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8cfea2b3-7f77-497e-ac20-0752f2ff6eee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8cfea2b3-7f77-497e-ac20-0752f2ff6eee\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1225 - Information System Component Inventory | Automated + Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1225\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8d096fe0-f510-4486-8b4d-d17dc230980b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8d096fe0-f510-4486-8b4d-d17dc230980b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1288 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1288\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8d854c3b-a3e6-4ec9-9f0c-c7274dbaeb2f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1281 - Telecommunications Services | Priority Of Service Provisions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1281\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8dc459b3-0e77-45af-8d71-cfd8c9654fe2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8dc459b3-0e77-45af-8d71-cfd8c9654fe2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1250 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1250\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8de614d8-a8b7-4f70-a62a-6d37089a002c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8de614d8-a8b7-4f70-a62a-6d37089a002c\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'System Audit + Policies - Object Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'System Audit Policies + - Object Access'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditDetailedFileShare\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit Detailed File Share\",\"description\":\"If this policy setting is enabled, + access to all shared files and folders on the system is audited. Auditing + for Success can lead to very high volumes of events.\"},\"allowedValues\":[\"No + Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No + Auditing\"},\"AuditFileShare\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit File Share\",\"description\":\"Specifies whether to audit events related + to file shares: creation, deletion, modification, and access attempts. Also, + it shows failed SMB SPN checks. Event volumes can be high on DCs and File + Servers.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success + and Failure\"],\"defaultValue\":\"No Auditing\"},\"AuditFileSystem\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit File System\",\"description\":\"Specifies whether audit events are generated + when users attempt to access file system objects. Audit events are generated + only for objects that have configured system access control lists (SACLs).\"},\"allowedValues\":[\"No + Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No + Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit + Detailed File Share;ExpectedValue', '=', parameters('AuditDetailedFileShare'), + ',', 'Audit File Share;ExpectedValue', '=', parameters('AuditFileShare'), + ',', 'Audit File System;ExpectedValue', '=', parameters('AuditFileSystem')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesObjectAccess\"},\"AuditDetailedFileShare\":{\"value\":\"[parameters('AuditDetailedFileShare')]\"},\"AuditFileShare\":{\"value\":\"[parameters('AuditFileShare')]\"},\"AuditFileSystem\":{\"value\":\"[parameters('AuditFileSystem')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditDetailedFileShare\":{\"type\":\"string\"},\"AuditFileShare\":{\"type\":\"string\"},\"AuditFileSystem\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Detailed File Share;ExpectedValue\",\"value\":\"[parameters('AuditDetailedFileShare')]\"},{\"name\":\"Audit + File Share;ExpectedValue\",\"value\":\"[parameters('AuditFileShare')]\"},{\"name\":\"Audit + File System;ExpectedValue\",\"value\":\"[parameters('AuditFileSystem')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Detailed File Share;ExpectedValue\",\"value\":\"[parameters('AuditDetailedFileShare')]\"},{\"name\":\"Audit + File Share;ExpectedValue\",\"value\":\"[parameters('AuditFileShare')]\"},{\"name\":\"Audit + File System;ExpectedValue\",\"value\":\"[parameters('AuditFileSystem')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e170edb-e0f5-497a-bb36-48b3280cec6a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e170edb-e0f5-497a-bb36-48b3280cec6a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1278 - Alternate Processing Site | Preparation For Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1278\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e5ef485-9e16-4c53-a475-fbb8107eac59\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e5ef485-9e16-4c53-a475-fbb8107eac59\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1517 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1517\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8f5ad423-50d6-4617-b058-69908f5586c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8f5ad423-50d6-4617-b058-69908f5586c9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1668 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1668\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fb0966e-be1d-42c3-baca-60df5c0bcc61\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fb0966e-be1d-42c3-baca-60df5c0bcc61\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1013 - Account Management | Automated System Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1013\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fd7b917-d83b-4379-af60-51e14e316c61\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fd7b917-d83b-4379-af60-51e14e316c61\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1147 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1147\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8fef824a-29a8-4a4c-88fc-420a39c0d541\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8fef824a-29a8-4a4c-88fc-420a39c0d541\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that do not store passwords using + reversible encryption\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that do not store passwords using reversible encryption. It also creates a + system-assigned managed identity and deploys the VM extension for Guest Configuration. + This policy should only be used along with its corresponding audit policy + in an initiative. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"StorePasswordsUsingReversibleEncryption\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"StorePasswordsUsingReversibleEncryption\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8ff0b18b-262e-4512-857a-48ad0aeb9a78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8ff0b18b-262e-4512-857a-48ad0aeb9a78\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1550 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1550\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/902908fb-25a8-4225-a3a5-5603c80066c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"902908fb-25a8-4225-a3a5-5603c80066c9\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Windows Firewall + Properties'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Windows Firewall Properties'. + It also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"WindowsFirewallDomainUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Domain): Use profile settings\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Domain profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Domain): Behavior for outbound connections\",\"description\":\"Specifies + the behavior for outbound connections for the Domain profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Domain): Apply local connection security rules\",\"description\":\"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Domain profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Domain): Apply local firewall rules\",\"description\":\"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Domain + profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Domain): Display notifications\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Domain profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Private): Use profile settings\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Private profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Private): Behavior for outbound connections\",\"description\":\"Specifies + the behavior for outbound connections for the Private profile that do not + match an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Private): Apply local connection security rules\",\"description\":\"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Private profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Private): Apply local firewall rules\",\"description\":\"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Private + profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Private): Display notifications\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Private profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicUseProfileSettings\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Public): Use profile settings\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security uses the settings for the + Public profile to filter network traffic. If you select Off, Windows Firewall + with Advanced Security will not use any of the firewall rules or connection + security rules for this profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Public): Behavior for outbound connections\",\"description\":\"Specifies + the behavior for outbound connections for the Public profile that do not match + an outbound firewall rule. The default value of 0 means to allow connections, + and a value of 1 means to block connections.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Public): Apply local connection security rules\",\"description\":\"Specifies + whether local administrators are allowed to create connection security rules + that apply together with connection security rules configured by Group Policy + for the Public profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Public): Apply local firewall rules\",\"description\":\"Specifies + whether local administrators are allowed to create local firewall rules that + apply together with firewall rules configured by Group Policy for the Public + profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallPublicDisplayNotifications\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall (Public): Display notifications\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security displays notifications to + the user when a program is blocked from receiving inbound connections, for + the Public profile.\"},\"defaultValue\":\"1\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall: Domain: Allow unicast response\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Domain profile.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall: Private: Allow unicast response\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Private profile.\"},\"defaultValue\":\"0\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Windows Firewall: Public: Allow unicast response\",\"description\":\"Specifies + whether Windows Firewall with Advanced Security permits the local computer + to receive unicast responses to its outgoing multicast or broadcast messages; + for the Public profile.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsFirewallProperties\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Windows + Firewall: Domain: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallDomainUseProfileSettings'), + ',', 'Windows Firewall: Domain: Outbound connections;ExpectedValue', '=', + parameters('WindowsFirewallDomainBehaviorForOutboundConnections'), ',', 'Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue', + '=', parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules'), + ',', 'Windows Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue', + '=', parameters('WindowsFirewallDomainApplyLocalFirewallRules'), ',', 'Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallDomainDisplayNotifications'), + ',', 'Windows Firewall: Private: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPrivateUseProfileSettings'), + ',', 'Windows Firewall: Private: Outbound connections;ExpectedValue', '=', + parameters('WindowsFirewallPrivateBehaviorForOutboundConnections'), ',', 'Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue', + '=', parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules'), + ',', 'Windows Firewall: Private: Settings: Apply local firewall rules;ExpectedValue', + '=', parameters('WindowsFirewallPrivateApplyLocalFirewallRules'), ',', 'Windows + Firewall: Private: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPrivateDisplayNotifications'), + ',', 'Windows Firewall: Public: Firewall state;ExpectedValue', '=', parameters('WindowsFirewallPublicUseProfileSettings'), + ',', 'Windows Firewall: Public: Outbound connections;ExpectedValue', '=', + parameters('WindowsFirewallPublicBehaviorForOutboundConnections'), ',', 'Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue', + '=', parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules'), + ',', 'Windows Firewall: Public: Settings: Apply local firewall rules;ExpectedValue', + '=', parameters('WindowsFirewallPublicApplyLocalFirewallRules'), ',', 'Windows + Firewall: Public: Settings: Display a notification;ExpectedValue', '=', parameters('WindowsFirewallPublicDisplayNotifications'), + ',', 'Windows Firewall: Domain: Allow unicast response;ExpectedValue', '=', + parameters('WindowsFirewallDomainAllowUnicastResponse'), ',', 'Windows Firewall: + Private: Allow unicast response;ExpectedValue', '=', parameters('WindowsFirewallPrivateAllowUnicastResponse'), + ',', 'Windows Firewall: Public: Allow unicast response;ExpectedValue', '=', + parameters('WindowsFirewallPublicAllowUnicastResponse')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_WindowsFirewallProperties\"},\"WindowsFirewallDomainUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},\"WindowsFirewallDomainDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},\"WindowsFirewallPublicUseProfileSettings\":{\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},\"WindowsFirewallPublicDisplayNotifications\":{\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"WindowsFirewallDomainUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallDomainBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallDomainApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallDomainApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallDomainDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallPrivateUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallPrivateBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallPrivateApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallPrivateApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallPrivateDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallPublicUseProfileSettings\":{\"type\":\"string\"},\"WindowsFirewallPublicBehaviorForOutboundConnections\":{\"type\":\"string\"},\"WindowsFirewallPublicApplyLocalConnectionSecurityRules\":{\"type\":\"string\"},\"WindowsFirewallPublicApplyLocalFirewallRules\":{\"type\":\"string\"},\"WindowsFirewallPublicDisplayNotifications\":{\"type\":\"string\"},\"WindowsFirewallDomainAllowUnicastResponse\":{\"type\":\"string\"},\"WindowsFirewallPrivateAllowUnicastResponse\":{\"type\":\"string\"},\"WindowsFirewallPublicAllowUnicastResponse\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Windows + Firewall: Domain: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},{\"name\":\"Windows + Firewall: Domain: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},{\"name\":\"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},{\"name\":\"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},{\"name\":\"Windows + Firewall: Private: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},{\"name\":\"Windows + Firewall: Private: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},{\"name\":\"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},{\"name\":\"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},{\"name\":\"Windows + Firewall: Public: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},{\"name\":\"Windows + Firewall: Public: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},{\"name\":\"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},{\"name\":\"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},{\"name\":\"Windows + Firewall: Domain: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},{\"name\":\"Windows + Firewall: Private: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},{\"name\":\"Windows + Firewall: Public: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Windows + Firewall: Domain: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainUseProfileSettings')]\"},{\"name\":\"Windows + Firewall: Domain: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainBehaviorForOutboundConnections')]\"},{\"name\":\"Windows + Firewall: Domain: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows + Firewall: Domain: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainApplyLocalFirewallRules')]\"},{\"name\":\"Windows + Firewall: Domain: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainDisplayNotifications')]\"},{\"name\":\"Windows + Firewall: Private: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateUseProfileSettings')]\"},{\"name\":\"Windows + Firewall: Private: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateBehaviorForOutboundConnections')]\"},{\"name\":\"Windows + Firewall: Private: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows + Firewall: Private: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateApplyLocalFirewallRules')]\"},{\"name\":\"Windows + Firewall: Private: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateDisplayNotifications')]\"},{\"name\":\"Windows + Firewall: Public: Firewall state;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicUseProfileSettings')]\"},{\"name\":\"Windows + Firewall: Public: Outbound connections;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicBehaviorForOutboundConnections')]\"},{\"name\":\"Windows + Firewall: Public: Settings: Apply local connection security rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalConnectionSecurityRules')]\"},{\"name\":\"Windows + Firewall: Public: Settings: Apply local firewall rules;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicApplyLocalFirewallRules')]\"},{\"name\":\"Windows + Firewall: Public: Settings: Display a notification;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicDisplayNotifications')]\"},{\"name\":\"Windows + Firewall: Domain: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallDomainAllowUnicastResponse')]\"},{\"name\":\"Windows + Firewall: Private: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPrivateAllowUnicastResponse')]\"},{\"name\":\"Windows + Firewall: Public: Allow unicast response;ExpectedValue\",\"value\":\"[parameters('WindowsFirewallPublicAllowUnicastResponse')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/909c958d-1b99-4c74-b88f-46a5c5bc34f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"909c958d-1b99-4c74-b88f-46a5c5bc34f9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1133 - Protection Of Audit Information | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1133\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90b60a09-133d-45bc-86ef-b206a6134bbe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90b60a09-133d-45bc-86ef-b206a6134bbe\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs that do not have the specified Windows + PowerShell modules installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that do not have the specified Windows PowerShell modules installed. It also + creates a system-assigned managed identity and deploys the VM extension for + Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"Modules\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"PowerShell + Modules\",\"description\":\"A semicolon-separated list of the names of the + PowerShell modules that should be installed. You may also specify a specific + version of a module that should be installed by including a comma after the + module name, followed by the desired version. e.g. PSDscResources; SqlServerDsc, + 12.0.0.0; ComputerManagementDsc, 6.1.0.0\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellModules\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[PowerShellModules]PowerShellModules1;Modules', + '=', parameters('Modules')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPowerShellModules\"},\"Modules\":{\"value\":\"[parameters('Modules')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"Modules\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellModules]PowerShellModules1;Modules\",\"value\":\"[parameters('Modules')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellModules]PowerShellModules1;Modules\",\"value\":\"[parameters('Modules')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90ba2ee7-4ca8-4673-84d1-c851c50d3baf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90ba2ee7-4ca8-4673-84d1-c851c50d3baf\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1140 - Audit Generation | System-Wide / Time-Correlated Audit + Trail\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1140\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90d8b8ad-8ee3-4db7-913f-2a53fcff5316\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90d8b8ad-8ee3-4db7-913f-2a53fcff5316\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1355 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1355\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90e01f69-3074-4de8-ade7-0fef3e7d83e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90e01f69-3074-4de8-ade7-0fef3e7d83e0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1657 - Secure Name / Address Resolution Service (Authoritative + Source)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1657\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/90f01329-a100-43c2-af31-098996135d2b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"90f01329-a100-43c2-af31-098996135d2b\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Windows Components'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Windows Components'. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_WindowsComponents\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9178b430-2295-406e-bb28-f6a7a2a2f897\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9178b430-2295-406e-bb28-f6a7a2a2f897\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1069 - Wireless Access | Authentication And Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1069\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/91c97b44-791e-46e9-bad7-ab7c4949edbb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"91c97b44-791e-46e9-bad7-ab7c4949edbb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1370 - Incident Monitoring | Automated Tracking / Data Collection + / Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1370\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/924e1b2d-c502-478f-bfdb-a7e09a0d5c01\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"924e1b2d-c502-478f-bfdb-a7e09a0d5c01\"},{\"properties\":{\"displayName\":\"MFA + should be enabled accounts with write permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + Authentication (MFA) should be enabled for all subscription accounts with + write privileges to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForWritePermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9297c21d-2ed6-4474-b48f-163f75654ce3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9297c21d-2ed6-4474-b48f-163f75654ce3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1290 - Information System Backup\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1290\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/92f85ce9-17b7-49ea-85ee-ea7271ea6b82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"92f85ce9-17b7-49ea-85ee-ea7271ea6b82\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that contain certificates expiring within + the specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that contain certificates expiring within + the specified number of days. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"CertificateExpiration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9328f27e-611e-44a7-a244-39109d7d35ab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9328f27e-611e-44a7-a244-39109d7d35ab\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs in which the Administrators group does + not contain all of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + in which the Administrators group does not contain all of the specified members. + It also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MembersToInclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members + to include\",\"description\":\"A semicolon-separated list of members that + should be included in the Administrators local group. Ex: Administrator; myUser1; + myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToInclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;MembersToInclude', + '=', parameters('MembersToInclude')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembersToInclude\"},\"MembersToInclude\":{\"value\":\"[parameters('MembersToInclude')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MembersToInclude\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToInclude\",\"value\":\"[parameters('MembersToInclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;MembersToInclude\",\"value\":\"[parameters('MembersToInclude')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93507a81-10a4-4af0-9ee2-34cf25a96e98\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93507a81-10a4-4af0-9ee2-34cf25a96e98\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1575 - Acquisition Process | Functional Properties Of Security + Controls\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1575\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93e1bb73-1b08-4dbe-9c62-8e2e92e7ec41\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1674 - Flaw Remediation | Time To Remediate Flaws / Benchmarks + For Corrective Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1674\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93e9e233-dd0a-4bde-aea5-1371bce0e002\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93e9e233-dd0a-4bde-aea5-1371bce0e002\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1297 - Information System Recovery And Reconstitution | Restore + Within Time Period\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1297\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/93fd8af1-c161-4bae-9ba9-f62731f76439\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"93fd8af1-c161-4bae-9ba9-f62731f76439\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1284 - Telecommunications Services | Provider Contingency + Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1284\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/942b3e97-6ae3-410e-a794-c9c999b97c0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"942b3e97-6ae3-410e-a794-c9c999b97c0b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1379 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1379\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9442dd2c-a07f-46cd-b55a-553b66ba47ca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9442dd2c-a07f-46cd-b55a-553b66ba47ca\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1371 - Incident Reporting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1371\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9447f354-2c85-4700-93b3-ecdc6cb6a417\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9447f354-2c85-4700-93b3-ecdc6cb6a417\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Allow resource creation only in European data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + resource creation in the following locations only: North Europe, West Europe\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/94c19f19-8192-48cd-a11b-e37099d3e36b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"94c19f19-8192-48cd-a11b-e37099d3e36b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1526 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1526\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/953e6261-a05a-44fd-8246-000e1a3edbb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"953e6261-a05a-44fd-8246-000e1a3edbb9\"},{\"properties\":{\"displayName\":\"Authentication + should be enabled on your web app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the web app, or authenticate those that have tokens before they + reach the web app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"95bccee9-a7f8-4bec-9ee9-62c3473701fc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1163 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1163\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/961663a1-8a91-4e59-b6f5-1eee57c0f49c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"961663a1-8a91-4e59-b6f5-1eee57c0f49c\"},{\"properties\":{\"displayName\":\"Require + specified tag on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enforces + existence of a tag on resource groups.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/96670d01-0a4d-4649-9c89-2d3abc0a5025\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"96670d01-0a4d-4649-9c89-2d3abc0a5025\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1717 - Software, Firmware, And Information Integrity | Binary + Or Machine Executable Code\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1717\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"967773fc-d9ab-4a4e-8ff6-f5e9e3f5dbef\"},{\"properties\":{\"displayName\":\"Advanced + data security settings for SQL server should contain an email address to receive + security alerts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Ensure + that an email address is provided for the 'Send alerts to' field in the Advanced + Data Security server settings. This email address receives alert notifications + when anomalous activities are detected on SQL servers.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/emailAddresses[*]\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9677b740-f641-4f3c-b9c5-466005c85278\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9677b740-f641-4f3c-b9c5-466005c85278\"},{\"properties\":{\"displayName\":\"App + Configuration should use a customer managed key\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any App Configuration instance that does not use a customer + managed key.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Configuration\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.AppConfiguration/configurationStores\"},{\"field\":\"Microsoft.AppConfiguration/configurationStores/encryption.keyVaultProperties.keyIdentifier\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"967a4b4b-2da9-43c1-b7d0-f98d0d74d0b1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1453 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1453\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9693b564-3008-42bc-9d5d-9c7fe198c011\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9693b564-3008-42bc-9d5d-9c7fe198c011\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Administrative Templates + - MSS (Legacy)'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Administrative Templates - MSS (Legacy)'. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.1-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97646672-5efa-4622-9b54-740270ad60bf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97646672-5efa-4622-9b54-740270ad60bf\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1607 - Developer Security Testing And Evaluation | Dynamic + Code Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1607\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/976a74cf-b192-4d35-8cab-2068f272addb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"976a74cf-b192-4d35-8cab-2068f272addb\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'System Audit + Policies - Policy Change'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'System Audit Policies + - Policy Change'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditAuthenticationPolicyChange\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit Authentication Policy Change\",\"description\":\"Specifies whether audit + events are generated when changes are made to authentication policy. This + setting is useful for tracking changes in domain-level and forest-level trust + and privileges that are granted to user accounts or groups.\"},\"allowedValues\":[\"No + Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"Success\"},\"AuditAuthorizationPolicyChange\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit Authorization Policy Change\",\"description\":\"Specifies whether audit + events are generated for assignment and removal of user rights in user right + policies, changes in security token object permission, resource attributes + changes and Central Access Policy changes for file system objects.\"},\"allowedValues\":[\"No + Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"No + Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit + Authentication Policy Change;ExpectedValue', '=', parameters('AuditAuthenticationPolicyChange'), + ',', 'Audit Authorization Policy Change;ExpectedValue', '=', parameters('AuditAuthorizationPolicyChange')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\"},\"AuditAuthenticationPolicyChange\":{\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},\"AuditAuthorizationPolicyChange\":{\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditAuthenticationPolicyChange\":{\"type\":\"string\"},\"AuditAuthorizationPolicyChange\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Authentication Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},{\"name\":\"Audit + Authorization Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Authentication Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthenticationPolicyChange')]\"},{\"name\":\"Audit + Authorization Policy Change;ExpectedValue\",\"value\":\"[parameters('AuditAuthorizationPolicyChange')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97b595c8-fd10-400e-8543-28e2b9138b13\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97b595c8-fd10-400e-8543-28e2b9138b13\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1136 - Audit Record Retention\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1136\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97ed5bac-a92f-4f6d-a8ed-dc094723597c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97ed5bac-a92f-4f6d-a8ed-dc094723597c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1378 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1378\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/97fceb70-6983-42d0-9331-18ad8253184d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"97fceb70-6983-42d0-9331-18ad8253184d\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Allow resource creation only in United States data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + resource creation in the following locations only: Central US, East US, East + US2, North Central US, South Central US, West US\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"centralus\",\"eastus\",\"eastus2\",\"northcentralus\",\"southcentralus\",\"westus\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/983211ba-f348-4758-983b-21fa29294869\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"983211ba-f348-4758-983b-21fa29294869\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Administrative + Templates - Network'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Administrative Templates + - Network'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"EnableInsecureGuestLogons\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Enable insecure guest logons\",\"description\":\"Specifies whether the SMB + client will allow insecure guest logons to an SMB server.\"},\"defaultValue\":\"0\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Allow simultaneous connections to the Internet or a Windows Domain\",\"description\":\"Specify + whether to prevent computers from connecting to both a domain based network + and a non-domain based network at the same time. A value of 0 allows simultaneous + connections, and a value of 1 blocks them.\"},\"defaultValue\":\"1\"},\"TurnOffMulticastNameResolution\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Turn off multicast name resolution\",\"description\":\"Specifies whether LLMNR, + a secondary name resolution protocol that transmits using multicast over a + local subnet link on a single subnet, is enabled.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesNetwork\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Enable + insecure guest logons;ExpectedValue', '=', parameters('EnableInsecureGuestLogons'), + ',', 'Minimize the number of simultaneous connections to the Internet or a + Windows Domain;ExpectedValue', '=', parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain'), + ',', 'Turn off multicast name resolution;ExpectedValue', '=', parameters('TurnOffMulticastNameResolution')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesNetwork\"},\"EnableInsecureGuestLogons\":{\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},\"TurnOffMulticastNameResolution\":{\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EnableInsecureGuestLogons\":{\"type\":\"string\"},\"AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain\":{\"type\":\"string\"},\"TurnOffMulticastNameResolution\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enable + insecure guest logons;ExpectedValue\",\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},{\"name\":\"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue\",\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},{\"name\":\"Turn + off multicast name resolution;ExpectedValue\",\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enable + insecure guest logons;ExpectedValue\",\"value\":\"[parameters('EnableInsecureGuestLogons')]\"},{\"name\":\"Minimize + the number of simultaneous connections to the Internet or a Windows Domain;ExpectedValue\",\"value\":\"[parameters('AllowSimultaneousConnectionsToTheInternetOrAWindowsDomain')]\"},{\"name\":\"Turn + off multicast name resolution;ExpectedValue\",\"value\":\"[parameters('TurnOffMulticastNameResolution')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/985285b7-b97a-419c-8d48-c88cc934c8d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"985285b7-b97a-419c-8d48-c88cc934c8d8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1076 - Use Of External Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1076\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/98a4bd5f-6436-46d4-ad00-930b5b1dfed4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"98a4bd5f-6436-46d4-ad00-930b5b1dfed4\"},{\"properties\":{\"displayName\":\"Ensure + that 'HTTP Version' is the latest, if used to run the Api app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for HTTP either due to security flaws or to include + additional functionality. Using the latest HTTP version for web apps to take + advantage of security fixes, if any, and/or new functionalities of the newer + version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/991310cd-e9f3-47bc-b7b6-f57b557d07db\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"991310cd-e9f3-47bc-b7b6-f57b557d07db\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1102 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1102\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9943c16a-c54c-4b4a-ad28-bfd938cdbf57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9943c16a-c54c-4b4a-ad28-bfd938cdbf57\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1300 - Identification And Authentication (Organizational Users)\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1300\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/99deec7d-5526-472e-b07c-3645a792026a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"99deec7d-5526-472e-b07c-3645a792026a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1036 - Least Privilege | Non-Privileged Access For Nonsecurity + Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1036\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a16d673-8cf0-4dcf-b1d5-9b3e114fef71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a16d673-8cf0-4dcf-b1d5-9b3e114fef71\"},{\"properties\":{\"displayName\":\"FTPS + only should be required in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Enable + FTPS enforcement for enhanced security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/ftpsState\",\"equals\":\"FtpsOnly\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a1b8c48-453a-4044-86c3-d8bfd823e4f5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a1b8c48-453a-4044-86c3-d8bfd823e4f5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1021 - Account Management | Restrictions On Use Of Shared + / Group Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1021\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a3eb0a3-428d-4669-baff-20a14eb4b551\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a3eb0a3-428d-4669-baff-20a14eb4b551\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Azure SQL Database to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Azure SQL Database to stream to a regional Event + Hub on any Azure SQL Database which is missing this diagnostic settings is + created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"fullName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"resources\":[{\"type\":\"Microsoft.Sql/servers/databases/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('fullName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"QueryStoreRuntimeStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"QueryStoreWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Errors\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"DatabaseWaitStatistics\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Blocks\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLInsights\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"SQLSecurityAuditEvents\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Timeouts\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutomaticTuning\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Deadlocks\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + diagnostic settings for ', parameters('fullName'))]\"}}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"fullName\":{\"value\":\"[field('fullName')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9a7c7a7d-49e5-4213-bea8-6a502b6272e0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9a7c7a7d-49e5-4213-bea8-6a502b6272e0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1049 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1049\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9adf7ba7-900a-4f35-8d57-9f34aafc405c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9adf7ba7-900a-4f35-8d57-9f34aafc405c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1563 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1563\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9afe2edf-232c-4fdf-8e6a-e867a5c525fd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9afe2edf-232c-4fdf-8e6a-e867a5c525fd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1462 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1462\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9b1f3a9a-13a1-4b40-8420-36bca6fd8c02\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9b1f3a9a-13a1-4b40-8420-36bca6fd8c02\"},{\"properties\":{\"displayName\":\"Microsoft + IaaSAntimalware extension should be deployed on Windows servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Windows server VM without Microsoft IaaSAntimalware extension + deployed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\"]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9b597639-28e4-48eb-b506-56b05d366257\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1236 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1236\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ba3ed84-c768-4e18-b87c-34ef1aff1b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ba3ed84-c768-4e18-b87c-34ef1aff1b57\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1525 - Personnel Transfer\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1525\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9be2f688-7a61-45e3-8230-e1ec93893f66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9be2f688-7a61-45e3-8230-e1ec93893f66\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit API Applications that are not using latest supported Java Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported Java version for the latest security classes. Using older + classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestJava\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9bfe3727-0a17-471f-a2fe-eddd6b668745\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9bfe3727-0a17-471f-a2fe-eddd6b668745\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1138 - Audit Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1138\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9c284fc0-268a-4f29-af44-3c126674edb4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9c284fc0-268a-4f29-af44-3c126674edb4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1135 - Non-Repudiation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1135\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9c308b6b-2429-4b97-86cf-081b8e737b04\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9c308b6b-2429-4b97-86cf-081b8e737b04\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1489 - Location Of Information System Components\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1489\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d0a794f-1444-4c96-9534-e35fc8c39c91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d0a794f-1444-4c96-9534-e35fc8c39c91\"},{\"properties\":{\"displayName\":\"Ensure + that 'Java version' is the latest, if used as a part of the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for Java software either due to security flaws + or to include additional functionality. Using the latest Java version for + Function apps is recommended in order to to take advantage of security fixes, + if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"JavaLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest + Java version\",\"description\":\"Latest supported Java version for App Services\"},\"defaultValue\":\"11\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"JAVA\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"like\":\"[concat('*', + parameters('JavaLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.javaVersion\",\"like\":\"[concat(parameters('JavaLatestVersion'), + '*')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1322 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1322\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d1d971e-467e-4278-9633-c74c3d4fecc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d1d971e-467e-4278-9633-c74c3d4fecc4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1233 - Configuration Management Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1233\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d79001f-95fe-45d0-8736-f217e78c1f57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d79001f-95fe-45d0-8736-f217e78c1f57\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1305 - Identification And Authentication (Org. Users) | Group + Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1305\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d9166a8-1722-4b8f-847c-2cf3f2618b3d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d9166a8-1722-4b8f-847c-2cf3f2618b3d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1259 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1259\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9d9e18f7-bad9-4d30-8806-a0c9d5e26208\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9d9e18f7-bad9-4d30-8806-a0c9d5e26208\"},{\"properties\":{\"displayName\":\"Access + through Internet facing endpoint should be restricted\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Azure + Security center has identified some of your Network Security Groups' inbound + rules to be too permissive. Inbound rules should not allow access from 'Any' + or 'Internet' ranges. This can potentially enable attackers to easily target + your resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"unprotectedNetworkEndpoint\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9daedab3-fb2d-461e-b861-71790eead4f6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1500 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1500\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9dd5b241-03cb-47d3-a5cd-4b89f9c53c92\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9dd5b241-03cb-47d3-a5cd-4b89f9c53c92\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1482 - Temperature And Humidity Controls | Monitoring With + Alarms / Notifications\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1482\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9df4277e-8c88-4d5c-9b1a-541d53d15d7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9df4277e-8c88-4d5c-9b1a-541d53d15d7b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1553 - Vulnerability Scanning | Breadth / Depth Of Coverage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1553\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e5225fe-cdfb-4fce-9aec-0fe20dd53b62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e5225fe-cdfb-4fce-9aec-0fe20dd53b62\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1490 - Security Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1490\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e61da80-0957-4892-b70c-609d5eaafb6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e61da80-0957-4892-b70c-609d5eaafb6b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1504 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1504\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e7c35d0-12d4-4e0c-80a2-8a352537aefd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e7c35d0-12d4-4e0c-80a2-8a352537aefd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1609 - Development Process, Standards, And Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1609\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9e93fa71-42ac-41a7-b177-efbfdc53c69f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9e93fa71-42ac-41a7-b177-efbfdc53c69f\"},{\"properties\":{\"displayName\":\"Append + tag and its value from the resource group\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Appends + the specified tag with its value from the resource group when any resource + which is missing this tag is created or updated. Does not modify the tags + of resources created before this policy was applied until those resources + are changed. New 'modify' effect policies are available that support remediation + of tags on existing resources (see https://aka.ms/modifydoc).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"append\",\"details\":[{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ea02ca2-71db-412d-8b00-7c7ca9fcd32d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ea02ca2-71db-412d-8b00-7c7ca9fcd32d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1494 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1494\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ed09d84-3311-4853-8b67-2b55dfa33d09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ed09d84-3311-4853-8b67-2b55dfa33d09\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1514 - Personnel Screening | Information With Special Protection + Measures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1514\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9ed5ca00-0e43-434e-a018-7aab91461ba7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9ed5ca00-0e43-434e-a018-7aab91461ba7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1187 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1187\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9f2b2f9e-4ba6-46c3-907f-66db138b6f85\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9f2b2f9e-4ba6-46c3-907f-66db138b6f85\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs that are not set to the specified time zone\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that are not set to the specified time zone. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsTimeZone\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9f658460-46b7-43af-8565-94fc0662be38\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9f658460-46b7-43af-8565-94fc0662be38\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1354 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1354\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/9fd92c17-163a-4511-bb96-bbb476449796\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"9fd92c17-163a-4511-bb96-bbb476449796\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs on which the Log Analytics agent is not + connected as expected\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines on which the Log Analytics agent is not + connected to the specified workspaces. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsLogAnalyticsAgentConnection\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a030a57e-4639-4e8f-ade9-a92f33afe7ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a030a57e-4639-4e8f-ade9-a92f33afe7ee\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1145 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1145\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0724970-9c75-4a64-a225-a28002953f28\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0724970-9c75-4a64-a225-a28002953f28\"},{\"properties\":{\"displayName\":\"Allowed + resource types\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy enables you to specify the resource types that your organization can + deploy. Only resource types that support 'tags' and 'location' will be affected + by this policy. To restrict all resources please duplicate this policy and + change the 'mode' to 'All'.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfResourceTypesAllowed\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of resource types that can be deployed.\",\"displayName\":\"Allowed resource + types\",\"strongType\":\"resourceTypes\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"type\",\"in\":\"[parameters('listOfResourceTypesAllowed')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a08ec900-254a-4555-9bf5-e42af04b5c5c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1245 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1245\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0e45314-57b8-4623-80cd-bbb561f59516\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0e45314-57b8-4623-80cd-bbb561f59516\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1406 - Maintenance Tools | Inspect Media\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1406\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a0f5339c-9292-43aa-a0bc-d27c6b8e30aa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a0f5339c-9292-43aa-a0bc-d27c6b8e30aa\"},{\"properties\":{\"displayName\":\"Security + Center standard pricing tier should be selected\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + standard pricing tier enables threat detection for networks and virtual machines, + providing threat intelligence, anomaly detection, and behavior analytics in + Azure Security Center\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Security/pricings\"},{\"field\":\"Microsoft.Security/pricings/pricingTier\",\"exists\":\"true\"},{\"field\":\"Microsoft.Security/pricings/pricingTier\",\"notEquals\":\"Standard\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1181c5f-672a-477a-979a-7d58aa086233\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1181c5f-672a-477a-979a-7d58aa086233\"},{\"properties\":{\"displayName\":\"All + authorization rules except RootManageSharedAccessKey should be removed from + Service Bus namespace\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Service + Bus clients should not use a namespace level access policy that provides access + to all queues and topics in a namespace. To align with the least privilege + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"Service + Bus\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces/authorizationRules\"},{\"field\":\"name\",\"notEquals\":\"RootManageSharedAccessKey\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1817ec0-a368-432a-8057-8371e17ac6ee\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1265 - Contingency Plan Testing | Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1265\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a18adb5b-1db6-4a5b-901a-7d3797d12972\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a18adb5b-1db6-4a5b-901a-7d3797d12972\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Logic Apps to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Logic Apps to stream to a regional Event Hub when + any Logic Apps which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Logic/workflows/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"WorkflowRuntime\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1dae6c7-13f3-48ea-a149-ff8442661f60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1dae6c7-13f3-48ea-a149-ff8442661f60\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Administrative Templates + - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Administrative Templates - System'. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a1e8dda3-9fd2-4835-aec3-0e55531fde33\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a1e8dda3-9fd2-4835-aec3-0e55531fde33\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1612 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1612\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2037b3d-8b04-4171-8610-e6d4f1d08db5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2037b3d-8b04-4171-8610-e6d4f1d08db5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1197 - Configuration Change Control | Test / Validate / Document + Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1197\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a20d2eaa-88e2-4907-96a2-8f3a05797e5c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a20d2eaa-88e2-4907-96a2-8f3a05797e5c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1275 - Alternate Processing Site | Separation From Primary + Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1275\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a23d9d53-ad2e-45ef-afd5-e6d10900a737\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a23d9d53-ad2e-45ef-afd5-e6d10900a737\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1690 - Information System Monitoring | System-Wide Intrusion + Detection System\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1690\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2567a23-d1c3-4783-99f3-d471302a4d6b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2567a23-d1c3-4783-99f3-d471302a4d6b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1410 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1410\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2596a9f-e59f-420d-9625-6e0b536348be\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2596a9f-e59f-420d-9625-6e0b536348be\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1059 - Remote Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1059\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a29b5d9f-4953-4afe-b560-203a6410b6b4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a29b5d9f-4953-4afe-b560-203a6410b6b4\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs that are not joined to the specified domain\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that are not joined to the specified domain. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDomainMembership\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a29ee95c-0395-4515-9851-cc04ffe82a91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a29ee95c-0395-4515-9851-cc04ffe82a91\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1532 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1532\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2c66299-9017-4d95-8040-8bdbf7901d52\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2c66299-9017-4d95-8040-8bdbf7901d52\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1664 - Protection Of Information At Rest | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1664\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2cdf6b8-9505-4619-b579-309ba72037ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2cdf6b8-9505-4619-b579-309ba72037ac\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1252 - Contingency Plan | Capacity Planning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1252\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a328fd72-8ff5-4f96-8c9c-b30ed95db4ab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a328fd72-8ff5-4f96-8c9c-b30ed95db4ab\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1238 - User-Installed Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1238\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a36cedd4-3ffd-4b1f-8b18-aa71d8d87ce1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1693 - Information System Monitoring | System-Generated Alerts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1693\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a450eba6-2efc-4a00-846a-5804a93c6b77\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a450eba6-2efc-4a00-846a-5804a93c6b77\"},{\"properties\":{\"displayName\":\"Audit + usage of custom RBAC rules\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC + roles, which are error prone. Using custom roles is treated as an exception + and requires a rigorous review and threat modeling\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Authorization/roleDefinitions\"},{\"field\":\"Microsoft.Authorization/roleDefinitions/type\",\"equals\":\"CustomRole\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a451c1ef-c6ca-483d-87ed-f49761e3ffb5\"},{\"properties\":{\"displayName\":\"Web + Application should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + of HTTPS ensures server/service authentication and protects data in transit + from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a4af4a39-4135-47fb-b175-47fbdf85311d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1617 - Application Partitioning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1617\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a631d8f5-eb81-4f9d-9ee1-74431371e4a3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a631d8f5-eb81-4f9d-9ee1-74431371e4a3\"},{\"properties\":{\"displayName\":\"Auditing + on SQL server should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Auditing + on your SQL Server should be enabled to track database activities across all + databases on the server and save them in an audit log.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"setting\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Desired + Auditing setting\"},\"allowedValues\":[\"enabled\",\"disabled\"],\"defaultValue\":\"enabled\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"[parameters('setting')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9\"},{\"properties\":{\"displayName\":\"The + Log Analytics agent should be installed on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Windows/Linux virtual machines if the Log Analytics agent + is not installed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"in\":[\"MicrosoftMonitoringAgent\",\"OmsAgentForLinux\"]},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a70ca396-0a34-413a-88e1-b956c1e683be\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a70ca396-0a34-413a-88e1-b956c1e683be\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1431 - Media Storage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1431\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7173c52-2b99-4696-a576-63dd5f970ef4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7173c52-2b99-4696-a576-63dd5f970ef4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1644 - Cryptographic Key Establishment And Management | Availability\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1644\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7211477-c970-446b-b4af-062f37461147\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7211477-c970-446b-b4af-062f37461147\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1027 - Access Enforcement\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1027\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a76ca9b0-3f4a-4192-9a38-b25e4f8ae48c\"},{\"properties\":{\"displayName\":\"DDoS + Protection Standard should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"DDoS + protection standard should be enabled for all virtual networks with a subnet + that is part of an application gateway with a public IP.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"microsoft.network/virtualNetworks\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableDDoSProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7aca53f-2ed4-4466-a25e-0b45ade68efd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1570 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1570\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7fcf38d-bb09-4600-be7d-825046eb162a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7fcf38d-bb09-4600-be7d-825046eb162a\"},{\"properties\":{\"displayName\":\"Require + encryption on Data Lake Store accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy ensures encryption is enabled on all Data Lake Store accounts\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Data + Lake\"},\"parameters\":{},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},{\"field\":\"Microsoft.DataLakeStore/accounts/encryptionState\",\"equals\":\"Disabled\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a7ff3161-0087-490a-9ad9-ad6217f4f43a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1295 - Information System Recovery And Reconstitution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1295\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a895fbdb-204d-4302-9689-0a59dc42b3d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a895fbdb-204d-4302-9689-0a59dc42b3d9\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Monitor unencrypted SQL databases in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Unencrypted + SQL databases will be monitored by Azure Security Center as recommendations. + This policy is deprecated and replaced by the following policy: Transparent + Data Encryption on SQL databases should be enabled'\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.SQL/servers/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"encryption\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a8bef009-a5c9-4d0f-90d7-6018734e8a16\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a8bef009-a5c9-4d0f-90d7-6018734e8a16\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1283 - Telecommunications Services | Separation Of Primary + / Alternate Providers\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1283\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9172e76-7f56-46e9-93bf-75d69bdb5491\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9172e76-7f56-46e9-93bf-75d69bdb5491\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1400 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1400\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a96d5098-a604-4cdf-90b1-ef6449a27424\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a96d5098-a604-4cdf-90b1-ef6449a27424\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1118 - Audit Review, Analysis, And Reporting | Correlate Audit + Repositories\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1118\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a96f743d-a195-420d-983a-08aa06bc441e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a96f743d-a195-420d-983a-08aa06bc441e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1199 - Configuration Change Control | Cryptography Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1199\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9a08d1c-09b1-48f1-90ea-029bbdf7111e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9a08d1c-09b1-48f1-90ea-029bbdf7111e\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'System Audit Policies + - Detailed Tracking'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'System Audit Policies - Detailed Tracking'. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesDetailedTracking\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9a33475-481d-4b81-9116-0bf02ffe67e8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9a33475-481d-4b81-9116-0bf02ffe67e8\"},{\"properties\":{\"displayName\":\"Deploy + network watcher when virtual networks are created\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a network watcher resource in regions with virtual networks. + You need to ensure existence of a resource group named networkWatcherRG, which + will be used to deploy network watcher instances.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Network/networkWatchers\",\"resourceGroupName\":\"networkWatcherRG\",\"existenceCondition\":{\"field\":\"location\",\"equals\":\"[field('location')]\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2016-09-01\",\"type\":\"Microsoft.Network/networkWatchers\",\"name\":\"[concat('networkWatcher_', + parameters('location'))]\",\"location\":\"[parameters('location')]\"}]},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9b99dd8-06c5-4317-8629-9d86a3c6e7d9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1511 - Personnel Screening\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1511\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a9eae324-d327-4539-9293-b48e122465f8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a9eae324-d327-4539-9293-b48e122465f8\"},{\"properties\":{\"displayName\":\"MFA + should be enabled on accounts with owner permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + Authentication (MFA) should be enabled for all subscription accounts with + owner permissions to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aa633080-8b72-40c4-a2d7-d00c03e80bed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aa633080-8b72-40c4-a2d7-d00c03e80bed\"},{\"properties\":{\"displayName\":\"Ensure + that Register with Azure Active Directory is enabled on WEB App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + service identity in App Service makes the app more secure by eliminating secrets + from the app, such as credentials in the connection strings. When registering + with Azure Active Directory in the app service, the app will connect to other + Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aa81768c-cb87-4ce2-bfaa-00baa10d760c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aa81768c-cb87-4ce2-bfaa-00baa10d760c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1539 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1539\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aabb155f-e7a5-4896-a767-e918bfae2ee0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aabb155f-e7a5-4896-a767-e918bfae2ee0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1006 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1006\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aae8d54c-4bce-4c04-b3aa-5b65b67caac8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aae8d54c-4bce-4c04-b3aa-5b65b67caac8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1461 - Monitoring Physical Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1461\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aafef03e-fea8-470b-88fa-54bd1fcd7064\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aafef03e-fea8-470b-88fa-54bd1fcd7064\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1073 - Access Control For Mobile Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1073\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ab55cdb0-c7dd-4bd8-ae22-a7cea7594e9c\"},{\"properties\":{\"displayName\":\"Ensure + that 'PHP version' is the latest, if used as a part of the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for PHP software either due to security flaws + or to include additional functionality. Using the latest PHP version for Function + apps is recommended in order to to take advantage of security fixes, if any, + and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"PHPLatestVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Latest + PHP version\",\"description\":\"Latest supported PHP version for App Services\"},\"defaultValue\":\"7.3\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"notContains\":\"PHP\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"[concat('PHP|', + parameters('PHPLatestVersion'))]\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"\"}]},{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/web.linuxFxVersion\",\"equals\":\"\"},{\"field\":\"Microsoft.Web/sites/config/web.phpVersion\",\"equals\":\"[parameters('PHPLatestVersion')]\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ab965db2-d2bf-4b64-8b39-c38ec8179461\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ab965db2-d2bf-4b64-8b39-c38ec8179461\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Automatic provisioning of security monitoring agent\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Installs + security agent on VMs for advanced security alerts and preventions in Azure + Security Center. Applies only for subscriptions that use Azure Security Center.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"AuditIfNotExists\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"securityAgent\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abcc6037-1fc4-47f6-aac5-89706589be24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abcc6037-1fc4-47f6-aac5-89706589be24\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1323 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1323\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abe8f70b-680f-470c-9b86-a7edfb664ecc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abe8f70b-680f-470c-9b86-a7edfb664ecc\"},{\"properties\":{\"displayName\":\"Advanced + data security should be enabled on your SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + SQL servers without Advanced Data Security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/state\",\"equals\":\"Enabled\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9\"},{\"properties\":{\"displayName\":\"Advanced + data security should be enabled on your SQL managed instances\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + SQL managed instances without Advanced Data Security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/state\",\"equals\":\"Enabled\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9\"},{\"properties\":{\"displayName\":\"Enable + Azure Security Center on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Identifies + existing subscriptions that are not monitored by Azure Security Center (ASC).\\nSubscriptions + not monitored by ASC will be registered to the free pricing tier.\\nSubscriptions + already monitored by ASC (free or standard), will be considered compliant.\\nTo + register newly created subscriptions, open the compliance tab, select the + relevant non-compliant assignment and create a remediation task.\\nRepeat + this step when you have one or more new subscriptions you want to monitor + with Security Center.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Security/pricings\",\"name\":\"VirtualMachines\",\"deploymentScope\":\"subscription\",\"existenceScope\":\"subscription\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"existenceCondition\":{\"anyof\":[{\"field\":\"microsoft.security/pricings/pricingTier\",\"equals\":\"standard\"},{\"field\":\"microsoft.security/pricings/pricingTier\",\"equals\":\"free\"}]},\"deployment\":{\"location\":\"westeurope\",\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Security/pricings\",\"apiVersion\":\"2018-06-01\",\"name\":\"VirtualMachines\",\"properties\":{\"pricingTier\":\"free\"}}],\"outputs\":{}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac076320-ddcf-4066-b451-6154267e8ad2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac076320-ddcf-4066-b451-6154267e8ad2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1056 - Session Termination | User-Initiated Logouts / Message + Displays\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1056\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac43352f-df83-4694-8738-cfce549fd08d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac43352f-df83-4694-8738-cfce549fd08d\"},{\"properties\":{\"displayName\":\"[Preview]: + Role-Based Access Control (RBAC) should be used on Kubernetes Services\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"To + provide granular filtering on the actions that users can perform, use Role-Based + Access Control (RBAC) to manage permissions in Kubernetes Service Clusters + and configure relevant authorization policies.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security + Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/enableRBAC\",\"exists\":\"false\"},{\"field\":\"Microsoft.ContainerService/managedClusters/enableRBAC\",\"equals\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac4a19c2-fa67-49b4-8ae5-0b2e78c49457\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Allow resource creation if 'environment' tag value in allowed values\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + resource creation if the 'environment' tag is set to one of the following + values: production, dev, test, staging\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Tags\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"tags['environment']\",\"in\":[\"production\",\"dev\",\"test\",\"staging\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ac7e5fc0-c029-4b12-91d4-a8500ce697f9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ac7e5fc0-c029-4b12-91d4-a8500ce697f9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1569 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1569\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ad2f8e61-a564-4dfd-8eaa-816f5be8cb34\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ad2f8e61-a564-4dfd-8eaa-816f5be8cb34\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1454 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1454\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ad58985d-ab32-4f99-8bd3-b7e134c90229\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ad58985d-ab32-4f99-8bd3-b7e134c90229\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1025 - Account Management | Account Monitoring / Atypical + Usage\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1025\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/adfe020d-0a97-45f4-a39c-696ef99f3a95\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"adfe020d-0a97-45f4-a39c-696ef99f3a95\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1272 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1272\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae46cf7a-e3fd-427b-9b91-44bc78e2d9d8\"},{\"properties\":{\"displayName\":\"SQL + Server should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any SQL Server not configured to use a virtual network service + endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae5d2f14-d830-42b6-9899-df6cfe9c71a3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1598 - Developer Configuration Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1598\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ae7e1f5e-2d63-4b38-91ef-bce14151cce3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ae7e1f5e-2d63-4b38-91ef-bce14151cce3\"},{\"properties\":{\"displayName\":\"Email + notifications to admins and subscription owners should be enabled in SQL managed + instance advanced data security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + that 'email notification to admins and subscription owners' is enabled in + the SQL managed instance advanced threat protection settings. This ensures + that any detections of anomalous activities on SQL managed instance are reported + as soon as possible to the admins.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/emailAccountAdmins\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aeb23562-188d-47cb-80b8-551f16ef9fff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aeb23562-188d-47cb-80b8-551f16ef9fff\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1413 - Nonlocal Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1413\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aeedddb6-6bc0-42d5-809b-80048033419d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"aeedddb6-6bc0-42d5-809b-80048033419d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1710 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1710\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af2a93c8-e6dd-4c94-acdd-4a2eedfc478e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af2a93c8-e6dd-4c94-acdd-4a2eedfc478e\"},{\"properties\":{\"displayName\":\"Monitor + missing Endpoint Protection in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Servers + without an installed Endpoint Protection agent will be monitored by Azure + Security Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"endpointProtection\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af6cd1bd-1635-48cb-bde7-5b15693900b9\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Monitor unaudited SQL servers in Azure Security Center\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"SQL + servers which don't have SQL auditing turned on will be monitored by Azure + Security Center as recommendations. This policy is deprecated and replaced + by the following policy: 'Auditing should be enabled on advanced data security + settings on SQL Server'\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.SQL/servers\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"auditing\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/af8051bf-258b-44e2-a2bf-165330459f9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"af8051bf-258b-44e2-a2bf-165330459f9d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1645 - Cryptographic Key Establishment And Management | Symmetric + Keys\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1645\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/afbd0baf-ff1a-4447-a86f-088a97347c0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"afbd0baf-ff1a-4447-a86f-088a97347c0c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1725 - Error Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1725\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/afc234b5-456b-4aa5-b3e2-ce89108124cc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"afc234b5-456b-4aa5-b3e2-ce89108124cc\"},{\"properties\":{\"displayName\":\"Activity + log should be retained for at least one year\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits the activity log if the retention is not set for 365 days or + forever (retention days set to 0).\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/logProfiles\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.enabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.days\",\"equals\":\"365\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.enabled\",\"equals\":\"false\"},{\"field\":\"Microsoft.Insights/logProfiles/retentionPolicy.days\",\"equals\":\"0\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b02aacc0-b073-424e-8298-42b22829ee0a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b02aacc0-b073-424e-8298-42b22829ee0a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1429 - Media Marking\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1429\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b07c9b24-729e-4e85-95fc-f224d2d08a80\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b07c9b24-729e-4e85-95fc-f224d2d08a80\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1711 - Security Function Verification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1711\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b083a535-a66a-41ec-ba7f-f9498bf67cde\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b083a535-a66a-41ec-ba7f-f9498bf67cde\"},{\"properties\":{\"displayName\":\"Just-In-Time + network access control should be applied on virtual machines\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Possible + network Just In Time (JIT) access will be monitored by Azure Security Center + as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"jitNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b0f33259-77d7-4c9e-aac6-3aabcfae693c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1571 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1571\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b11c985b-f2cd-4bd7-85f4-b52426edf905\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b11c985b-f2cd-4bd7-85f4-b52426edf905\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Linux VMs that do not have the passwd file permissions + set to 0644\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Linux virtual machines that do not have the passwd file permissions + set to 0644. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid121\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b18175dd-c599-4c64-83ba-bb018a06d35b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b18175dd-c599-4c64-83ba-bb018a06d35b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1537 - Risk Assessment Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1537\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b19454ca-0d70-42c0-acf5-ea1c1e5726d1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b19454ca-0d70-42c0-acf5-ea1c1e5726d1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1091 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1091\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b23bd715-5d1c-4e5c-9759-9cbdf79ded9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b23bd715-5d1c-4e5c-9759-9cbdf79ded9d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1078 - Use Of External Information Systems | Limits On Authorized + Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1078\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b25faf85-8a16-4f28-8e15-d05c0072d64d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b25faf85-8a16-4f28-8e15-d05c0072d64d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1009 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1009\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b26f8610-e615-47c2-abd6-c00b2b0b503a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b26f8610-e615-47c2-abd6-c00b2b0b503a\"},{\"properties\":{\"displayName\":\"All + authorization rules except RootManageSharedAccessKey should be removed from + Event Hub namespace\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Event + Hub clients should not use a namespace level access policy that provides access + to all queues and topics in a namespace. To align with the least privilege + security model, you should create access policies at the entity level for + queues and topics to provide access to only the specific entity\",\"metadata\":{\"version\":\"1.0.1\",\"category\":\"Event + Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces/authorizationRules\"},{\"field\":\"name\",\"notEquals\":\"RootManageSharedAccessKey\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b278e460-7cfc-4451-8294-cccc40a940d7\"},{\"properties\":{\"displayName\":\"Inherit + a tag from the subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + or replaces the specified tag and value from the containing subscription when + any resource is created or updated. Existing resources can be remediated by + triggering a remediation task.\",\"metadata\":{\"category\":\"Tags\",\"version\":\"1.0.0\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"notEquals\":\"[subscription().tags[parameters('tagName')]]\"},{\"value\":\"[subscription().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[subscription().tags[parameters('tagName')]]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b27a0cbd-a167-4dfa-ae64-4337be671140\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b27a0cbd-a167-4dfa-ae64-4337be671140\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1234 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1234\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b293f881-361c-47ed-b997-bc4e2296bc0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b293f881-361c-47ed-b997-bc4e2296bc0b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1107 - Content Of Audit Records\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1107\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b29ed931-8e21-4779-8458-27916122a904\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b29ed931-8e21-4779-8458-27916122a904\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows web servers that are not using secure communication + protocols\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows web servers + that are not using secure communication protocols (TLS 1.1 or TLS 1.2). It + also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"MinimumTLSVersion\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Minimum + TLS version\",\"description\":\"The minimum TLS protocol version that should + be enabled. Windows web servers with lower TLS versions will be marked as + non-compliant.\"},\"allowedValues\":[\"1.1\",\"1.2\"],\"defaultValue\":\"1.1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AuditSecureProtocol\",\"existenceCondition\":{\"anyOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[SecureWebServer]s1;MinimumTLSVersion', + '=', parameters('MinimumTLSVersion')))]\"},{\"allOf\":[{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"\"},{\"value\":\"[parameters('MinimumTLSVersion')]\",\"equals\":\"1.1\"}]}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AuditSecureProtocol\"},\"MinimumTLSVersion\":{\"value\":\"[parameters('MinimumTLSVersion')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MinimumTLSVersion\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[SecureWebServer]s1;MinimumTLSVersion\",\"value\":\"[parameters('MinimumTLSVersion')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[SecureWebServer]s1;MinimumTLSVersion\",\"value\":\"[parameters('MinimumTLSVersion')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b2fc8f91-866d-4434-9089-5ebfe38d6fd8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b2fc8f91-866d-4434-9089-5ebfe38d6fd8\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'System Audit Policies + - Logon-Logoff'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'System Audit Policies - Logon-Logoff'. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b3802d79-dd88-4bce-b81d-780218e48280\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b3802d79-dd88-4bce-b81d-780218e48280\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1041 - Least Privilege | Privilege Levels For Code Execution\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1041\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b3d8d15b-627a-4219-8c96-4d16f788888b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b3d8d15b-627a-4219-8c96-4d16f788888b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1380 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1380\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4319b7e-ea8d-42ff-8a67-ccd462972827\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4319b7e-ea8d-42ff-8a67-ccd462972827\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Search services should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Search\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Search/searchServices\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4330a05-a843-4bc8-bf9a-cacce50c67f4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1172 - Internal System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1172\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b43e946e-a4c8-4b92-8201-4a39331db43c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b43e946e-a4c8-4b92-8201-4a39331db43c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1672 - Flaw Remediation | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1672\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b45fe972-904e-45a4-ac20-673ba027a301\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b45fe972-904e-45a4-ac20-673ba027a301\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1131 - Protection Of Audit Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1131\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b472a17e-c2bc-493f-b50b-42d55a346962\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b472a17e-c2bc-493f-b50b-42d55a346962\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Sockets state for an API App\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + Web Sockets protocol is vulnerable to different types of security threats. + Use of Web Sockets within an API app must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b48334a4-911b-4084-b1ab-3e6a4e50b951\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b48334a4-911b-4084-b1ab-3e6a4e50b951\"},{\"properties\":{\"displayName\":\"A + security contact phone number should be provided for your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enter + a phone number to receive notifications when Azure Security Center detects + compromised resources\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/securityContacts\",\"existenceCondition\":{\"field\":\"Microsoft.Security/securityContacts/phone\",\"notEquals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4d66858-c922-44e3-9566-5cdb7a7be744\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4d66858-c922-44e3-9566-5cdb7a7be744\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1286 - Telecommunications Services | Provider Contingency + Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1286\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b4f9b47a-2116-4e6f-88db-4edbf22753f1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b4f9b47a-2116-4e6f-88db-4edbf22753f1\"},{\"properties\":{\"displayName\":\"Service + Fabric clusters should only use Azure Active Directory for client authentication\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + usage of client authentication only via Azure Active Directory in Service + Fabric\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Service Fabric\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ServiceFabric/clusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId\",\"exists\":\"false\"},{\"field\":\"Microsoft.ServiceFabric/clusters/azureActiveDirectory.tenantId\",\"equals\":\"\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b54ed75b-3e1a-44ac-a333-05ba39b99ff0\"},{\"properties\":{\"displayName\":\"Deploy + Advanced Threat Protection for Cosmos DB Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy enables Advanced Threat Protection across Cosmos DB accounts.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Cosmos + DB\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DocumentDB/databaseAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/advancedThreatProtectionSettings\",\"name\":\"current\",\"existenceCondition\":{\"field\":\"Microsoft.Security/advancedThreatProtectionSettings/isEnabled\",\"equals\":\"true\"},\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"cosmosDbAccountName\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2019-01-01\",\"type\":\"Microsoft.DocumentDB/databaseAccounts/providers/advancedThreatProtectionSettings\",\"name\":\"[concat(parameters('cosmosDbAccountName'), + '/Microsoft.Security/current')]\",\"properties\":{\"isEnabled\":true}}]},\"parameters\":{\"cosmosDbAccountName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b5f04e03-92a3-4b09-9410-2cc5e5047656\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in App Services should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + enabling of diagnostic logs on the app. This enables you to recreate activity + trails for investigation purposes if a security incident occurs or your network + is compromised\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"notContains\":\"functionapp\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Web/sites/config/detailedErrorLoggingEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/httpLoggingEnabled\",\"equals\":\"true\"},{\"field\":\"Microsoft.Web/sites/config/requestTracingEnabled\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1419 - Nonlocal Maintenance | Cryptographic Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1419\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6747bf9-2b97-45b8-b162-3c8becb9937d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6747bf9-2b97-45b8-b162-3c8becb9937d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1301 - Identification And Authentication (Org. Users) | Network + Access To Privileged Accounts\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1301\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6a8e0cc-ac23-468b-abe4-a8a1cc6d7a08\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1568 - Acquisition Process\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1568\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6a8eae8-9854-495a-ac82-d2cd3eac02a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6a8eae8-9854-495a-ac82-d2cd3eac02a6\"},{\"properties\":{\"displayName\":\"Network + Watcher should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Network + Watcher is a regional service that enables you to monitor and diagnose conditions + at a network scenario level in, to, and from Azure. Scenario level monitoring + enables you to diagnose problems at an end to end network level view. Network + diagnostic and visualization tools available with Network Watcher help you + understand, diagnose, and gain insights to your network in Azure.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"listOfLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Locations\",\"description\":\"Audit + if Network Watcher is not enabled for region(s).\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Network/networkWatchers\",\"resourceGroupName\":\"NetworkWatcherRG\",\"existenceCondition\":{\"field\":\"location\",\"in\":\"[parameters('listOfLocations')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b6e2945c-0b7b-40f5-9233-7a5323b5cdc6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1608 - Supply Chain Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1608\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b73b7b3b-677c-4a2a-b949-ad4dc4acd89f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b73b7b3b-677c-4a2a-b949-ad4dc4acd89f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1401 - Controlled Maintenance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1401\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b78ee928-e3c1-4569-ad97-9f8c4b629847\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b78ee928-e3c1-4569-ad97-9f8c4b629847\"},{\"properties\":{\"displayName\":\"API + App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + of HTTPS ensures server/service authentication and protects data in transit + from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"},{\"field\":\"Microsoft.Web/sites/httpsOnly\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b7ddfbdc-1260-477d-91fd-98bd9be789a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b7ddfbdc-1260-477d-91fd-98bd9be789a6\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs in which the Administrators group does + not contain only the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + in which the Administrators group does not contain only the specified members. + It also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"Members\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Members\",\"description\":\"A + semicolon-separated list of all the expected members of the Administrators + local group. Ex: Administrator; myUser1; myUser2\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembers\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[LocalGroup]AdministratorsGroup;Members', + '=', parameters('Members')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AdministratorsGroupMembers\"},\"Members\":{\"value\":\"[parameters('Members')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"Members\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;Members\",\"value\":\"[parameters('Members')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[LocalGroup]AdministratorsGroup;Members\",\"value\":\"[parameters('Members')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b821191b-3a12-44bc-9c38-212138a29ff3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b821191b-3a12-44bc-9c38-212138a29ff3\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Accounts'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Accounts'. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b872a447-cc6f-43b9-bccf-45703cd81607\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b872a447-cc6f-43b9-bccf-45703cd81607\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Logic Apps to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Logic Apps to stream to a regional Log Analytics + workspace when any Logic Apps which is missing this diagnostic settings is + created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Logic/workflows\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Logic/workflows/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"WorkflowRuntime\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b889a06c-ec72-4b03-910a-cb169ee18721\"},{\"properties\":{\"displayName\":\"An + activity log alert should exist for specific Administrative operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits specific Administrative operations with no activity log alerts + configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation + Name\",\"description\":\"Administrative Operation name for which activity + log alert should be configured\"},\"allowedValues\":[\"Microsoft.Sql/servers/firewallRules/write\",\"Microsoft.Sql/servers/firewallRules/delete\",\"Microsoft.Network/networkSecurityGroups/write\",\"Microsoft.Network/networkSecurityGroups/delete\",\"Microsoft.ClassicNetwork/networkSecurityGroups/write\",\"Microsoft.ClassicNetwork/networkSecurityGroups/delete\",\"Microsoft.Network/networkSecurityGroups/securityRules/write\",\"Microsoft.Network/networkSecurityGroups/securityRules/delete\",\"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/write\",\"Microsoft.ClassicNetwork/networkSecurityGroups/securityRules/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Administrative\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b954148f-4c11-4c38-8221-be76711e194a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b954148f-4c11-4c38-8221-be76711e194a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1257 - Contingency Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1257\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b958b241-4245-4bd6-bd2d-b8f0779fb543\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b958b241-4245-4bd6-bd2d-b8f0779fb543\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1186 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1186\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b95ba3bd-4ded-49ea-9d10-c6f4b680813d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b95ba3bd-4ded-49ea-9d10-c6f4b680813d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1447 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1447\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9783a99-98fe-4a95-873f-29613309fe9a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9783a99-98fe-4a95-873f-29613309fe9a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1625 - Boundary Protection | Access Points\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1625\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9b66a4d-70a1-4b47-8fa1-289cec68c605\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9b66a4d-70a1-4b47-8fa1-289cec68c605\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1610 - Development Process, Standards, And Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1610\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b9f3fb54-4222-46a1-a308-4874061f8491\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b9f3fb54-4222-46a1-a308-4874061f8491\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Recovery console'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Recovery console'. For more information on Guest + Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsRecoveryconsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ba12366f-f9a6-42b8-9d98-157d0b1a837b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ba12366f-f9a6-42b8-9d98-157d0b1a837b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1606 - Developer Security Testing And Evaluation | Threat + And Vulnerability Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1606\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"baa8a9a4-5bbe-4c72-98f6-a3a47ae2b1ca\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1726 - Information Handling And Retention\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1726\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/baff1279-05e0-4463-9a70-8ba5de4c7aa4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"baff1279-05e0-4463-9a70-8ba5de4c7aa4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1166 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1166\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bb02733d-3cc5-4bb0-a6cd-695ba2c2272e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bb02733d-3cc5-4bb0-a6cd-695ba2c2272e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1188 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1188\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bb20548a-c926-4e4d-855c-bcddc6faf95e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bb20548a-c926-4e4d-855c-bcddc6faf95e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1533 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1533\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bba2a036-fb3b-4261-b1be-a13dfb5fbcaa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bba2a036-fb3b-4261-b1be-a13dfb5fbcaa\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Microsoft Network Client'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Microsoft Network Client'. It also creates a system-assigned managed identity + and deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Microsoft network client: Digitally sign communications (always)\",\"description\":\"Specifies + whether packet signing is required by the SMB client component.\"},\"defaultValue\":\"1\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Microsoft network client: Send unencrypted password to third-party SMB servers\",\"description\":\"Specifies + whether the SMB redirector will send plaintext passwords during authentication + to third-party SMB servers that do not support password encryption. It is + recommended that you disable this policy setting unless there is a strong + business case to enable it.\"},\"defaultValue\":\"0\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Microsoft network server: Amount of idle time required before suspending session\",\"description\":\"Specifies + the amount of continuous idle time that must pass in an SMB session before + the session is suspended because of inactivity. The format of the value is + two integers separated by a comma, denoting an inclusive range.\"},\"defaultValue\":\"1,15\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Microsoft network server: Digitally sign communications (always)\",\"description\":\"Specifies + whether packet signing is required by the SMB server component.\"},\"defaultValue\":\"1\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Microsoft network server: Disconnect clients when logon hours expire\",\"description\":\"Specifies + whether to disconnect users who are connected to the local computer outside + their user account's valid logon hours. This setting affects the Server Message + Block (SMB) component. If you enable this policy setting you should also enable + 'Network security: Force logoff when logon hours expire'\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Microsoft + network client: Digitally sign communications (always);ExpectedValue', '=', + parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways'), ',', + 'Microsoft network client: Send unencrypted password to third-party SMB servers;ExpectedValue', + '=', parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers'), + ',', 'Microsoft network server: Amount of idle time required before suspending + session;ExpectedValue', '=', parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession'), + ',', 'Microsoft network server: Digitally sign communications (always);ExpectedValue', + '=', parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways'), + ',', 'Microsoft network server: Disconnect clients when logon hours expire;ExpectedValue', + '=', parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\"},\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"MicrosoftNetworkClientDigitallySignCommunicationsAlways\":{\"type\":\"string\"},\"MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers\":{\"type\":\"string\"},\"MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession\":{\"type\":\"string\"},\"MicrosoftNetworkServerDigitallySignCommunicationsAlways\":{\"type\":\"string\"},\"MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Microsoft + network client: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},{\"name\":\"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},{\"name\":\"Microsoft + network server: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Microsoft + network client: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft + network client: Send unencrypted password to third-party SMB servers;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkClientSendUnencryptedPasswordToThirdpartySMBServers')]\"},{\"name\":\"Microsoft + network server: Amount of idle time required before suspending session;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerAmountOfIdleTimeRequiredBeforeSuspendingSession')]\"},{\"name\":\"Microsoft + network server: Digitally sign communications (always);ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDigitallySignCommunicationsAlways')]\"},{\"name\":\"Microsoft + network server: Disconnect clients when logon hours expire;ExpectedValue\",\"value\":\"[parameters('MicrosoftNetworkServerDisconnectClientsWhenLogonHoursExpire')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bbcdd8fa-b600-4ee3-85b8-d184e3339652\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bbcdd8fa-b600-4ee3-85b8-d184e3339652\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit API Applications that are not using latest supported Python Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported Python version for the latest security classes. Using + older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestPython\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc0378bb-d7ab-4614-a0f6-5a6e3f02d644\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc0378bb-d7ab-4614-a0f6-5a6e3f02d644\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1194 - Configuration Change Control | Automated Document / + Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1194\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc34667f-397e-4a65-9b72-d0358f0b6b09\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc34667f-397e-4a65-9b72-d0358f0b6b09\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1095 - Role-Based Security Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1095\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc3f6f7a-057b-433e-9834-e8c97b0194f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc3f6f7a-057b-433e-9834-e8c97b0194f6\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'System Audit Policies + - Account Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'System Audit Policies - Account Logon'. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc87d811-4a9b-47cc-ae54-0a41abda7768\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc87d811-4a9b-47cc-ae54-0a41abda7768\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1427 - Media Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1427\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bc90e44f-d83f-4bdf-900f-3d5eb4111b31\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bc90e44f-d83f-4bdf-900f-3d5eb4111b31\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1351 - Incident Response Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1351\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bcfb6683-05e5-4ce6-9723-c3fbe9896bdd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bcfb6683-05e5-4ce6-9723-c3fbe9896bdd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1050 - Concurrent Session Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1050\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd20184c-b4ec-4ce5-8db6-6e86352d183f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd20184c-b4ec-4ce5-8db6-6e86352d183f\"},{\"properties\":{\"displayName\":\"[Preview]: + IP Forwarding on your virtual machine should be disabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Enabling + IP forwarding on a virtual machine's NIC allows the machine to receive traffic + addressed to other destinations. IP forwarding is rarely required (e.g., when + using the VM as a network virtual appliance), and therefore, this should be + reviewed by the network security team.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security + Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"disableIPForwarding\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"Monitored\",\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd352bd5-2853-4985-bf0d-73806b4a5744\"},{\"properties\":{\"displayName\":\"Advanced + Threat Protection types should be set to 'All' in SQL managed instance Advanced + Data Security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + is recommended to enable all Advanced Threat Protection types on your SQL + servers. Enabling all types protects against SQL injection, database vulnerabilities, + and any other anomalous activities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/managedInstances\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/managedInstances/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/managedInstances/securityAlertPolicies/disabledAlerts[*]\",\"equals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bda18df3-5e41-4709-add9-2554ce68c966\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bda18df3-5e41-4709-add9-2554ce68c966\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs in which the Administrators group contains + any of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines in which the Administrators group contains + any of the specified members. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToExclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bde62c94-ccca-4821-a815-92c1d31a76de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bde62c94-ccca-4821-a815-92c1d31a76de\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Applications that are not using latest supported Java Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported Java version for the latest security classes. Using older + classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestJava\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/be0a7681-bed4-48dc-9ff3-f0171ee170b6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"be0a7681-bed4-48dc-9ff3-f0171ee170b6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1360 - Incident Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1360\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/be5b05e7-0b82-4ebc-9eda-25e447b1a41e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"be5b05e7-0b82-4ebc-9eda-25e447b1a41e\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Key Vault to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Key Vault to stream to a regional Log Analytics + workspace when any Key Vault which is missing this diagnostic settings is + created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.KeyVault/vaults/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bef3f64c-5290-43b7-85b0-9b254eef4c47\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1152 - System Interconnections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1152\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/beff0acf-7e67-40b2-b1ca-1a0e8205cf1b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"beff0acf-7e67-40b2-b1ca-1a0e8205cf1b\"},{\"properties\":{\"displayName\":\"Geo-redundant + storage should be enabled for Storage Accounts\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Storage Account with geo-redundant storage not enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/sku.name\",\"in\":[\"Standard_GRS\",\"Standard_RAGRS\",\"Standard_GZRS\",\"Standard_RAGZRS\"]}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf045164-79ba-4215-8f95-f8048dc1780b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf045164-79ba-4215-8f95-f8048dc1780b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1590 - External Information System Services | Risk Assessments + / Organizational Approvals\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1590\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf296b8c-f391-4ea4-9198-be3c9d39dd1f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf296b8c-f391-4ea4-9198-be3c9d39dd1f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1446 - Physical And Environmental Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1446\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bf6850fe-abba-468e-9ef4-d09ec7d983cd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bf6850fe-abba-468e-9ef4-d09ec7d983cd\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'System Audit + Policies - Logon-Logoff'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'System Audit Policies + - Logon-Logoff'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditGroupMembership\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit Group Membership\",\"description\":\"Specifies whether audit events + are generated when group memberships are enumerated on the client computer.\"},\"allowedValues\":[\"No + Auditing\",\"Success\",\"Failure\",\"Success and Failure\"],\"defaultValue\":\"Success\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit + Group Membership;ExpectedValue', '=', parameters('AuditGroupMembership')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesLogonLogoff\"},\"AuditGroupMembership\":{\"value\":\"[parameters('AuditGroupMembership')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditGroupMembership\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Group Membership;ExpectedValue\",\"value\":\"[parameters('AuditGroupMembership')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Group Membership;ExpectedValue\",\"value\":\"[parameters('AuditGroupMembership')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c04255ee-1b9f-42c1-abaa-bf1553f79930\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c04255ee-1b9f-42c1-abaa-bf1553f79930\"},{\"properties\":{\"displayName\":\"Only + approved VM extensions should be installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy governs the virtual machine extensions that are not approved.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"approvedExtensions\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of approved extension types that can be installed. Example: AzureDiskEncryption\",\"displayName\":\"Approved + extensions\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines/extensions\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"notIn\":\"[parameters('approvedExtensions')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c0e996f8-39cf-4af9-9f45-83fbde810432\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c0e996f8-39cf-4af9-9f45-83fbde810432\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1124 - Audit Reduction And Report Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1124\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c10152dd-78f8-4335-ae2d-ad92cc028da4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c10152dd-78f8-4335-ae2d-ad92cc028da4\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1676 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1676\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c10fb58b-56a8-489e-9ce3-7ffe24e78e4b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c10fb58b-56a8-489e-9ce3-7ffe24e78e4b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1719 - Spam Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1719\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c13da9b4-fe14-4fe2-853a-5997c9d4215a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c13da9b4-fe14-4fe2-853a-5997c9d4215a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1226 - Information System Component Inventory | Automated + Unauthorized Component Detection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1226\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c158eb1c-ae7e-4081-8057-d527140c4e0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c158eb1c-ae7e-4081-8057-d527140c4e0c\"},{\"properties\":{\"displayName\":\"Deploy + associations for a custom provider\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + an association resource that associates selected resource types to the specified + custom provider. This policy deployment does not support nested resource types.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Custom + Provider\"},\"parameters\":{\"targetCustomProviderId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Custom + provider ID\",\"description\":\"Resource ID of the Custom provider to which + resources need to be associated.\"}},\"resourceTypesToAssociate\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Resource + types to associate\",\"description\":\"The list of resource types to be associated + to the custom provider.\",\"strongType\":\"resourceTypes\"}},\"associationNamePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Association + name prefix\",\"description\":\"Prefix to be added to the name of the association + resource being created.\"},\"defaultValue\":\"DeployedByPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":\"[parameters('resourceTypesToAssociate')]\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.CustomProviders/Associations\",\"name\":\"[concat(parameters('associationNamePrefix'), + '-', uniqueString(parameters('targetCustomProviderId')))]\",\"roleDefinitionIds\":[\"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"associatedResourceName\":{\"type\":\"string\"},\"resourceTypesToAssociate\":{\"type\":\"string\"},\"targetCustomProviderId\":{\"type\":\"string\"},\"associationNamePrefix\":{\"type\":\"string\"}},\"variables\":{\"resourceType\":\"[concat(parameters('resourceTypesToAssociate'), + '/providers/associations')]\",\"resourceName\":\"[concat(parameters('associatedResourceName'), + '/microsoft.customproviders/', parameters('associationNamePrefix'), '-', uniqueString(parameters('targetCustomProviderId')))]\"},\"resources\":[{\"type\":\"Microsoft.Resources/deployments\",\"apiVersion\":\"2017-05-10\",\"name\":\"[concat(deployment().Name, + '-2')]\",\"properties\":{\"mode\":\"Incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"resources\":[{\"type\":\"[variables('resourceType')]\",\"name\":\"[variables('resourceName')]\",\"apiVersion\":\"2018-09-01-preview\",\"properties\":{\"targetResourceId\":\"[parameters('targetCustomProviderId')]\"}}]}}}]},\"parameters\":{\"resourceTypesToAssociate\":{\"value\":\"[field('type')]\"},\"associatedResourceName\":{\"value\":\"[field('name')]\"},\"targetCustomProviderId\":{\"value\":\"[parameters('targetCustomProviderId')]\"},\"associationNamePrefix\":{\"value\":\"[parameters('associationNamePrefix')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c15c281f-ea5c-44cd-90b8-fc3c14d13f0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c15c281f-ea5c-44cd-90b8-fc3c14d13f0c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1629 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1629\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c171b095-7756-41de-8644-a062a96043f2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c171b095-7756-41de-8644-a062a96043f2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1004 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1004\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c17822dc-736f-4eb4-a97d-e6be662ff835\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c17822dc-736f-4eb4-a97d-e6be662ff835\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Allow resource creation only in Asia data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + resource creation in the following locations only: East Asia, Southeast Asia, + West India, South India, Central India, Japan East, Japan West\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"eastasia\",\"southeastasia\",\"westindia\",\"southindia\",\"centralindia\",\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1b9cbed-08e3-427d-b9ce-7c535b1e9b94\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1b9cbed-08e3-427d-b9ce-7c535b1e9b94\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'System Audit + Policies - Account Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'System Audit Policies + - Account Logon'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditCredentialValidation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit Credential Validation\",\"description\":\"Specifies whether audit events + are generated when credentials are submitted for a user account logon request. + \ This setting is especially useful for monitoring unsuccessful attempts, + to find brute-force attacks, account enumeration, and potential account compromise + events on domain controllers.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success + and Failure\"],\"defaultValue\":\"Success and Failure\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit + Credential Validation;ExpectedValue', '=', parameters('AuditCredentialValidation')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesAccountLogon\"},\"AuditCredentialValidation\":{\"value\":\"[parameters('AuditCredentialValidation')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditCredentialValidation\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Credential Validation;ExpectedValue\",\"value\":\"[parameters('AuditCredentialValidation')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Credential Validation;ExpectedValue\",\"value\":\"[parameters('AuditCredentialValidation')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1e289c0-ffad-475d-a924-adc058765d65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1e289c0-ffad-475d-a924-adc058765d65\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1503 - Information Security Architecture\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1503\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c1fa9c2f-d439-4ab9-8b83-81fb1934f81d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c1fa9c2f-d439-4ab9-8b83-81fb1934f81d\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs that are not set to the specified time + zone\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that are not set to the specified time zone. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"TimeZone\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Time + zone\",\"description\":\"The expected time zone\"},\"allowedValues\":[\"(UTC-12:00) + International Date Line West\",\"(UTC-11:00) Coordinated Universal Time-11\",\"(UTC-10:00) + Aleutian Islands\",\"(UTC-10:00) Hawaii\",\"(UTC-09:30) Marquesas Islands\",\"(UTC-09:00) + Alaska\",\"(UTC-09:00) Coordinated Universal Time-09\",\"(UTC-08:00) Baja + California\",\"(UTC-08:00) Coordinated Universal Time-08\",\"(UTC-08:00) Pacific + Time (US & Canada)\",\"(UTC-07:00) Arizona\",\"(UTC-07:00) Chihuahua, La Paz, + Mazatlan\",\"(UTC-07:00) Mountain Time (US & Canada)\",\"(UTC-06:00) Central + America\",\"(UTC-06:00) Central Time (US & Canada)\",\"(UTC-06:00) Easter + Island\",\"(UTC-06:00) Guadalajara, Mexico City, Monterrey\",\"(UTC-06:00) + Saskatchewan\",\"(UTC-05:00) Bogota, Lima, Quito, Rio Branco\",\"(UTC-05:00) + Chetumal\",\"(UTC-05:00) Eastern Time (US & Canada)\",\"(UTC-05:00) Haiti\",\"(UTC-05:00) + Havana\",\"(UTC-05:00) Indiana (East)\",\"(UTC-05:00) Turks and Caicos\",\"(UTC-04:00) + Asuncion\",\"(UTC-04:00) Atlantic Time (Canada)\",\"(UTC-04:00) Caracas\",\"(UTC-04:00) + Cuiaba\",\"(UTC-04:00) Georgetown, La Paz, Manaus, San Juan\",\"(UTC-04:00) + Santiago\",\"(UTC-03:30) Newfoundland\",\"(UTC-03:00) Araguaina\",\"(UTC-03:00) + Brasilia\",\"(UTC-03:00) Cayenne, Fortaleza\",\"(UTC-03:00) City of Buenos + Aires\",\"(UTC-03:00) Greenland\",\"(UTC-03:00) Montevideo\",\"(UTC-03:00) + Punta Arenas\",\"(UTC-03:00) Saint Pierre and Miquelon\",\"(UTC-03:00) Salvador\",\"(UTC-02:00) + Coordinated Universal Time-02\",\"(UTC-02:00) Mid-Atlantic - Old\",\"(UTC-01:00) + Azores\",\"(UTC-01:00) Cabo Verde Is.\",\"(UTC) Coordinated Universal Time\",\"(UTC+00:00) + Dublin, Edinburgh, Lisbon, London\",\"(UTC+00:00) Monrovia, Reykjavik\",\"(UTC+00:00) + Sao Tome\",\"(UTC+01:00) Casablanca\",\"(UTC+01:00) Amsterdam, Berlin, Bern, + Rome, Stockholm, Vienna\",\"(UTC+01:00) Belgrade, Bratislava, Budapest, Ljubljana, + Prague\",\"(UTC+01:00) Brussels, Copenhagen, Madrid, Paris\",\"(UTC+01:00) + Sarajevo, Skopje, Warsaw, Zagreb\",\"(UTC+01:00) West Central Africa\",\"(UTC+02:00) + Amman\",\"(UTC+02:00) Athens, Bucharest\",\"(UTC+02:00) Beirut\",\"(UTC+02:00) + Cairo\",\"(UTC+02:00) Chisinau\",\"(UTC+02:00) Damascus\",\"(UTC+02:00) Gaza, + Hebron\",\"(UTC+02:00) Harare, Pretoria\",\"(UTC+02:00) Helsinki, Kyiv, Riga, + Sofia, Tallinn, Vilnius\",\"(UTC+02:00) Jerusalem\",\"(UTC+02:00) Kaliningrad\",\"(UTC+02:00) + Khartoum\",\"(UTC+02:00) Tripoli\",\"(UTC+02:00) Windhoek\",\"(UTC+03:00) + Baghdad\",\"(UTC+03:00) Istanbul\",\"(UTC+03:00) Kuwait, Riyadh\",\"(UTC+03:00) + Minsk\",\"(UTC+03:00) Moscow, St. Petersburg\",\"(UTC+03:00) Nairobi\",\"(UTC+03:30) + Tehran\",\"(UTC+04:00) Abu Dhabi, Muscat\",\"(UTC+04:00) Astrakhan, Ulyanovsk\",\"(UTC+04:00) + Baku\",\"(UTC+04:00) Izhevsk, Samara\",\"(UTC+04:00) Port Louis\",\"(UTC+04:00) + Saratov\",\"(UTC+04:00) Tbilisi\",\"(UTC+04:00) Volgograd\",\"(UTC+04:00) + Yerevan\",\"(UTC+04:30) Kabul\",\"(UTC+05:00) Ashgabat, Tashkent\",\"(UTC+05:00) + Ekaterinburg\",\"(UTC+05:00) Islamabad, Karachi\",\"(UTC+05:00) Qyzylorda\",\"(UTC+05:30) + Chennai, Kolkata, Mumbai, New Delhi\",\"(UTC+05:30) Sri Jayawardenepura\",\"(UTC+05:45) + Kathmandu\",\"(UTC+06:00) Astana\",\"(UTC+06:00) Dhaka\",\"(UTC+06:00) Omsk\",\"(UTC+06:30) + Yangon (Rangoon)\",\"(UTC+07:00) Bangkok, Hanoi, Jakarta\",\"(UTC+07:00) Barnaul, + Gorno-Altaysk\",\"(UTC+07:00) Hovd\",\"(UTC+07:00) Krasnoyarsk\",\"(UTC+07:00) + Novosibirsk\",\"(UTC+07:00) Tomsk\",\"(UTC+08:00) Beijing, Chongqing, Hong + Kong, Urumqi\",\"(UTC+08:00) Irkutsk\",\"(UTC+08:00) Kuala Lumpur, Singapore\",\"(UTC+08:00) + Perth\",\"(UTC+08:00) Taipei\",\"(UTC+08:00) Ulaanbaatar\",\"(UTC+08:45) Eucla\",\"(UTC+09:00) + Chita\",\"(UTC+09:00) Osaka, Sapporo, Tokyo\",\"(UTC+09:00) Pyongyang\",\"(UTC+09:00) + Seoul\",\"(UTC+09:00) Yakutsk\",\"(UTC+09:30) Adelaide\",\"(UTC+09:30) Darwin\",\"(UTC+10:00) + Brisbane\",\"(UTC+10:00) Canberra, Melbourne, Sydney\",\"(UTC+10:00) Guam, + Port Moresby\",\"(UTC+10:00) Hobart\",\"(UTC+10:00) Vladivostok\",\"(UTC+10:30) + Lord Howe Island\",\"(UTC+11:00) Bougainville Island\",\"(UTC+11:00) Chokurdakh\",\"(UTC+11:00) + Magadan\",\"(UTC+11:00) Norfolk Island\",\"(UTC+11:00) Sakhalin\",\"(UTC+11:00) + Solomon Is., New Caledonia\",\"(UTC+12:00) Anadyr, Petropavlovsk-Kamchatsky\",\"(UTC+12:00) + Auckland, Wellington\",\"(UTC+12:00) Coordinated Universal Time+12\",\"(UTC+12:00) + Fiji\",\"(UTC+12:00) Petropavlovsk-Kamchatsky - Old\",\"(UTC+12:45) Chatham + Islands\",\"(UTC+13:00) Coordinated Universal Time+13\",\"(UTC+13:00) Nuku'alofa\",\"(UTC+13:00) + Samoa\",\"(UTC+14:00) Kiritimati Island\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsTimeZone\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[WindowsTimeZone]WindowsTimeZone1;TimeZone', + '=', parameters('TimeZone')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsTimeZone\"},\"TimeZone\":{\"value\":\"[parameters('TimeZone')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"TimeZone\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[WindowsTimeZone]WindowsTimeZone1;TimeZone\",\"value\":\"[parameters('TimeZone')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c21f7060-c148-41cf-a68b-0ab3e14c764c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c21f7060-c148-41cf-a68b-0ab3e14c764c\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs on which the specified services are not installed + and 'Running'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines on which the specified services are not + installed and 'Running'. For more information on Guest Configuration policies, + please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsServiceStatus\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c2dd2a9a-8a20-4a9c-b8d6-f17ccc26939a\"},{\"properties\":{\"displayName\":\"Ensure + that '.Net Framework' version is the latest, if used as a part of the API + app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for .Net Framework software either due to security + flaws or to include additional functionality. Using the latest .Net framework + version for web apps is recommended in order to to take advantage of security + fixes, if any, and/or new functionalities of the latest version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.netFrameworkVersion\",\"in\":[\"v3.0\",\"v4.0\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c2e7ca55-f62c-49b2-89a4-d41eb661d2f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c2e7ca55-f62c-49b2-89a4-d41eb661d2f0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1176 - Baseline Configuration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1176\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c30690a5-7bf3-467f-b0cd-ef5c7c7449cd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c30690a5-7bf3-467f-b0cd-ef5c7c7449cd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1389 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1389\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c39e6fda-ae70-4891-a739-be7bba6d1062\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c39e6fda-ae70-4891-a739-be7bba6d1062\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1390 - Information Spillage Response | Responsible Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1390\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c3b65b63-09ec-4cb5-8028-7dd324d10eb0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c3b65b63-09ec-4cb5-8028-7dd324d10eb0\"},{\"properties\":{\"displayName\":\"System + updates on virtual machine scale sets should be installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + whether there are any missing system security updates and critical updates + that should be installed to ensure that your Windows and Linux virtual machine + scale sets are secure.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"SystemUpdates\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c3f317a7-a95c-4547-b7e7-11017ebdf2fe\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Linux VMs that have accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Linux virtual machines that have accounts without passwords. For + more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid232\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c40c9087-1981-4e73-9f53-39743eda9d05\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c40c9087-1981-4e73-9f53-39743eda9d05\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1220 - Least Functionality | Authorized Software / Whitelisting\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1220\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c40f31a7-81e1-4130-99e5-a02ceea2a1d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c40f31a7-81e1-4130-99e5-a02ceea2a1d6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1513 - Personnel Screening | Information With Special Protection + Measures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1513\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c416970d-b12b-49eb-8af4-fb144cd7c290\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c416970d-b12b-49eb-8af4-fb144cd7c290\"},{\"properties\":{\"displayName\":\"Microsoft + Antimalware for Azure should be configured to automatically update protection + signatures\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Windows virtual machine not configured with automatic update + of Microsoft Antimalware protection signatures.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"equals\":\"Windows\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"IaaSAntimalware\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.Azure.Security\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/autoUpgradeMinorVersion\",\"equals\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c43e4a30-77cb-48ab-a4dd-93f175c63b57\"},{\"properties\":{\"displayName\":\"[Preview]: + Container Registry should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Container Registry not configured to use a virtual network + service endpoint.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Network\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerRegistry/registries\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.ContainerRegistry/registries/networkRuleSet.virtualNetworkRules[*].action\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4857be7-912a-4c75-87e6-e30292bcdf78\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1235 - Software Usage Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1235\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c49c610b-ece4-44b3-988c-2172b70d6e46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c49c610b-ece4-44b3-988c-2172b70d6e46\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1173 - Internal System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1173\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4aff9e7-2e60-46fa-86be-506b79033fc5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4aff9e7-2e60-46fa-86be-506b79033fc5\"},{\"properties\":{\"displayName\":\"Managed + identity should be used in your API App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Use + a managed identity for enhanced authentication security\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4d441f8-f9d9-4a9e-9cef-e82117cb3eef\"},{\"properties\":{\"displayName\":\"Authentication + should be enabled on your API app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the API app, or authenticate those that have tokens before they + reach the API app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c4ebc54a-46e1-481a-bee2-d4411e95d828\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c4ebc54a-46e1-481a-bee2-d4411e95d828\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1600 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1600\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c53f3123-d233-44a7-930b-f40d3bfeb7d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c53f3123-d233-44a7-930b-f40d3bfeb7d6\"},{\"properties\":{\"displayName\":\"An + activity log alert should exist for specific Policy operations\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits specific Policy operations with no activity log alerts configured.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"operationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Operation + Name\",\"description\":\"Policy Operation name for which activity log alert + should exist\"},\"allowedValues\":[\"Microsoft.Authorization/policyAssignments/write\",\"Microsoft.Authorization/policyAssignments/delete\"]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/ActivityLogAlerts\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts\",\"exists\":\"true\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/enabled\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"Policy\"}]},{\"allOf\":[{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"},{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals\",\"equals\":\"[parameters('operationName')]\"}]}]}},\"equals\":2},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"category\"}},{\"not\":{\"field\":\"Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field\",\"equals\":\"operationName\"}}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5447c04-a4d7-4ba8-a263-c9ee321a6858\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1408 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1408\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5f56ac6-4bb2-4086-bc41-ad76344ba2c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5f56ac6-4bb2-4086-bc41-ad76344ba2c2\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that contain certificates expiring + within the specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that contain certificates expiring within the specified number of days. It + also creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"CertificateStorePath\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Certificate store path\",\"description\":\"The path to the certificate store + containing the certificates to check the expiration dates of. Default value + is 'Cert:' which is the root certificate store path, so all certificates on + the machine will be checked. Other example paths: 'Cert:\\\\LocalMachine', + 'Cert:\\\\LocalMachine\\\\TrustedPublisher', 'Cert:\\\\CurrentUser'\"},\"defaultValue\":\"Cert:\"},\"ExpirationLimitInDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Expiration limit in days\",\"description\":\"An integer indicating the number + of days within which to check for certificates that are expiring. For example, + if this value is 30, any certificate expiring within the next 30 days will + cause this policy to be non-compliant.\"},\"defaultValue\":\"30\"},\"CertificateThumbprintsToInclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Certificate thumbprints to include\",\"description\":\"A semicolon-separated + list of certificate thumbprints to check under the specified path. If a value + is not specified, all certificates under the certificate store path will be + checked. If a value is specified, no certificates other than those with the + thumbprints specified will be checked. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"},\"defaultValue\":\"\"},\"CertificateThumbprintsToExclude\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Certificate thumbprints to exclude\",\"description\":\"A semicolon-separated + list of certificate thumbprints to ignore. e.g. THUMBPRINT1;THUMBPRINT2;THUMBPRINT3\"},\"defaultValue\":\"\"},\"IncludeExpiredCertificates\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Include expired certificates\",\"description\":\"Must be 'true' or 'false'. + True indicates that any found certificates that have already expired will + also make this policy non-compliant. False indicates that certificates that + have expired will be be ignored.\"},\"allowedValues\":[\"true\",\"false\"],\"defaultValue\":\"false\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"CertificateExpiration\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[CertificateStore]CertificateStore1;CertificateStorePath', + '=', parameters('CertificateStorePath'), ',', '[CertificateStore]CertificateStore1;ExpirationLimitInDays', + '=', parameters('ExpirationLimitInDays'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude', + '=', parameters('CertificateThumbprintsToInclude'), ',', '[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude', + '=', parameters('CertificateThumbprintsToExclude'), ',', '[CertificateStore]CertificateStore1;IncludeExpiredCertificates', + '=', parameters('IncludeExpiredCertificates')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"CertificateExpiration\"},\"CertificateStorePath\":{\"value\":\"[parameters('CertificateStorePath')]\"},\"ExpirationLimitInDays\":{\"value\":\"[parameters('ExpirationLimitInDays')]\"},\"CertificateThumbprintsToInclude\":{\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},\"CertificateThumbprintsToExclude\":{\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},\"IncludeExpiredCertificates\":{\"value\":\"[parameters('IncludeExpiredCertificates')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"CertificateStorePath\":{\"type\":\"string\"},\"ExpirationLimitInDays\":{\"type\":\"string\"},\"CertificateThumbprintsToInclude\":{\"type\":\"string\"},\"CertificateThumbprintsToExclude\":{\"type\":\"string\"},\"IncludeExpiredCertificates\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateStorePath\",\"value\":\"[parameters('CertificateStorePath')]\"},{\"name\":\"[CertificateStore]CertificateStore1;ExpirationLimitInDays\",\"value\":\"[parameters('ExpirationLimitInDays')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude\",\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;IncludeExpiredCertificates\",\"value\":\"[parameters('IncludeExpiredCertificates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[CertificateStore]CertificateStore1;CertificateStorePath\",\"value\":\"[parameters('CertificateStorePath')]\"},{\"name\":\"[CertificateStore]CertificateStore1;ExpirationLimitInDays\",\"value\":\"[parameters('ExpirationLimitInDays')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToInclude\",\"value\":\"[parameters('CertificateThumbprintsToInclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;CertificateThumbprintsToExclude\",\"value\":\"[parameters('CertificateThumbprintsToExclude')]\"},{\"name\":\"[CertificateStore]CertificateStore1;IncludeExpiredCertificates\",\"value\":\"[parameters('IncludeExpiredCertificates')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c5fbc59e-fb6f-494f-81e2-d99a671bdaa8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c5fbc59e-fb6f-494f-81e2-d99a671bdaa8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1670 - Flaw Remediation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1670\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c6108469-57ee-4666-af7e-79ba61c7ae0c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c6108469-57ee-4666-af7e-79ba61c7ae0c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1190 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1190\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c66a3d1e-465b-4f28-9da5-aef701b59892\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c66a3d1e-465b-4f28-9da5-aef701b59892\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1120 - Audit Review, Analysis, And Reporting | Integration + / Scanning And Monitoring Capabilities\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1120\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c69b870e-857b-458b-af02-bb234f7a00d3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c69b870e-857b-458b-af02-bb234f7a00d3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1125 - Audit Reduction And Report Generation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1125\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c6ce745a-670e-47d3-a6c4-3cfe5ef00c10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c6ce745a-670e-47d3-a6c4-3cfe5ef00c10\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace + for resource specific categories.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploy + Diagnostic Settings for Recovery Services Vault to stream to Log Analytics + workspace for Resource specific categories. If any of the Resource specific + categories are not enabled, a new diagnostic setting is created.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"preview\":true,\"category\":\"Monitoring\"},\"parameters\":{\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Profile name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Log Analytics workspace\",\"description\":\"Select Log Analytics workspace + from dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Exclusion Tag Name\",\"description\":\"Name of the tag to use for excluding + vaults from this policy. This should be used along with the Exclusion Tag + Value parameter.\"},\"defaultValue\":\"\"},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Exclusion Tag Value\",\"description\":\"Value of the tag to use for excluding + vaults from this policy. This should be used along with the Exclusion Tag + Name parameter.\"},\"defaultValue\":\"\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.RecoveryServices/vaults\"},{\"not\":{\"field\":\"[concat('tags[',parameters('tagName'), + ']')]\",\"equals\":\"[parameters('tagValue')]\"}}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"allof\":[{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"allof\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].Category\",\"in\":[\"CoreAzureBackup\",\"AddonAzureBackupJobs\",\"AddonAzureBackupAlerts\",\"AddonAzureBackupPolicy\",\"AddonAzureBackupStorage\",\"AddonAzureBackupProtectedInstance\"]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].Enabled\",\"equals\":\"True\"}]}},\"Equals\":6},{\"field\":\"Microsoft.Insights/diagnosticSettings/workspaceId\",\"notEquals\":\"\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType\",\"equals\":\"Dedicated\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vaultName\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.RecoveryServices/vaults/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('vaultName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"logAnalyticsDestinationType\":\"Dedicated\",\"metrics\":[],\"logs\":[{\"category\":\"CoreAzureBackup\",\"enabled\":\"true\"},{\"category\":\"AddonAzureBackupAlerts\",\"enabled\":\"true\"},{\"category\":\"AddonAzureBackupJobs\",\"enabled\":\"true\"},{\"category\":\"AddonAzureBackupPolicy\",\"enabled\":\"true\"},{\"category\":\"AddonAzureBackupProtectedInstance\",\"enabled\":\"true\"},{\"category\":\"AddonAzureBackupStorage\",\"enabled\":\"true\"}]}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat(parameters('logAnalytics'), + 'configured for diagnostic logs for ', ': ', parameters('vaultName'), '/', + 'Microsoft.Insights/', parameters('profileName'))]\"}}},\"parameters\":{\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"vaultName\":{\"value\":\"[field('name')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c717fb0c-d118-4c43-ab3d-ece30ac81fb3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1619 - Information In Shared Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1619\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c722e569-cb52-45f3-a643-836547d016e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c722e569-cb52-45f3-a643-836547d016e1\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1121 - Audit Review, Analysis, And Reporting | Correlation + With Physical Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1121\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c72b0eb9-1fc2-44e5-a866-e7cb0532f7c1\"},{\"properties\":{\"displayName\":\"Authentication + should be enabled on your Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + App Service Authentication is a feature that can prevent anonymous HTTP requests + from reaching the Function app, or authenticate those that have tokens before + they reach the Function app\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"equals\":\"functionapp\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/siteAuthEnabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1353 - Incident Response Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1353\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c785ad59-f78f-44ad-9a7f-d1202318c748\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c785ad59-f78f-44ad-9a7f-d1202318c748\"},{\"properties\":{\"displayName\":\"Email + notifications to admins and subscription owners should be enabled in SQL server + advanced data security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + that 'email notification to admins and subscription owners' is enabled in + the SQL server advanced threat protection settings. This ensures that any + detections of anomalous activities on SQL server are reported as soon as possible + to the admins.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/emailAccountAdmins\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c8343d2f-fdc9-4a97-b76f-fc71d1163bfc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c8343d2f-fdc9-4a97-b76f-fc71d1163bfc\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Batch Account to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Batch Account to stream to a regional Log Analytics + workspace when any Batch Account which is missing this diagnostic settings + is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Batch/batchAccounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ServiceLog\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c84e5349-db6d-4769-805e-e14037dab9b5\"},{\"properties\":{\"displayName\":\"[Deprecated]: + API App should only be accessible over HTTPS\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + of HTTPS ensures server/service authentication and protects data in transit + from network layer eavesdropping attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"api\"},{\"field\":\"kind\",\"equals\":\"apiApp\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"OnlyHttpsForApiApp\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c85538c1-b527-4ce4-bdb4-1dabcb3fd90d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c85538c1-b527-4ce4-bdb4-1dabcb3fd90d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1470 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1470\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c89ba09f-2e0f-44d0-8095-65b05bd151ef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c89ba09f-2e0f-44d0-8095-65b05bd151ef\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Interactive Logon'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Interactive Logon'. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsInteractiveLogon\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c8abcef9-fc26-482f-b8db-5fa60ee4586d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c8abcef9-fc26-482f-b8db-5fa60ee4586d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1018 - Account Management | Role-Based Schemes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1018\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9121abf-e698-4ee9-b1cf-71ee528ff07f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9121abf-e698-4ee9-b1cf-71ee528ff07f\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Data Lake Analytics should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Data + Lake\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c95c74d9-38fe-4f0d-af86-0c7d626a315c\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'User Rights Assignment'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'User Rights Assignment'. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_UserRightsAssignment\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c961dac9-5916-42e8-8fb1-703148323994\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c961dac9-5916-42e8-8fb1-703148323994\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs with a pending reboot\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with a pending reboot. It also creates a system-assigned managed identity + and deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPendingReboot\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPendingReboot\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c96f3246-4382-4264-bf6b-af0b35e23c3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c96f3246-4382-4264-bf6b-af0b35e23c3c\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Network Security Groups\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy automatically deploys diagnostic settings to network security groups. + A storage account with name '{storagePrefixParameter}{NSGLocation}' will be + automatically created.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"storagePrefix\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Storage + Account Prefix for Regional Storage Account\",\"description\":\"This prefix + will be combined with the network security group location to form the created + storage account name.\"}},\"rgName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Resource + Group Name for Storage Account (must exist)\",\"description\":\"The resource + group that the storage account will be created in. This resource group must + already exist.\",\"strongType\":\"ExistingResourceGroups\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"setbypolicy\",\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"},\"storagePrefix\":{\"type\":\"string\"},\"nsgName\":{\"type\":\"string\"},\"rgName\":{\"type\":\"string\"}},\"variables\":{\"storageDeployName\":\"[concat('policyStorage_', + uniqueString(parameters('location'), parameters('nsgName')))]\"},\"resources\":[{\"type\":\"Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings\",\"name\":\"[concat(parameters('nsgName'),'/Microsoft.Insights/setbypolicy')]\",\"apiVersion\":\"2017-05-01-preview\",\"location\":\"[parameters('location')]\",\"dependsOn\":[\"[variables('storageDeployName')]\"],\"properties\":{\"storageAccountId\":\"[reference(variables('storageDeployName')).outputs.storageAccountId.value]\",\"logs\":[{\"category\":\"NetworkSecurityGroupEvent\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}},{\"category\":\"NetworkSecurityGroupRuleCounter\",\"enabled\":true,\"retentionPolicy\":{\"enabled\":false,\"days\":0}}]}},{\"apiVersion\":\"2017-05-10\",\"name\":\"[variables('storageDeployName')]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[parameters('rgName')]\",\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"location\":{\"value\":\"[parameters('location')]\"},\"storagePrefix\":{\"value\":\"[parameters('storagePrefix')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"location\":{\"type\":\"string\"},\"storagePrefix\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-06-01\",\"type\":\"Microsoft.Storage/storageAccounts\",\"name\":\"[concat(parameters('storageprefix'), + parameters('location'))]\",\"sku\":{\"name\":\"Standard_LRS\",\"tier\":\"Standard\"},\"kind\":\"Storage\",\"location\":\"[parameters('location')]\",\"tags\":{\"created-by\":\"policy\"},\"scale\":null,\"properties\":{\"networkAcls\":{\"bypass\":\"AzureServices\",\"defaultAction\":\"Allow\",\"ipRules\":[],\"virtualNetworkRules\":[]},\"supportsHttpsTrafficOnly\":true}}],\"outputs\":{\"storageAccountId\":{\"type\":\"string\",\"value\":\"[resourceId(parameters('rgName'), + 'Microsoft.Storage/storageAccounts',concat(parameters('storagePrefix'), parameters('location')))]\"}}}}}]},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"storagePrefix\":{\"value\":\"[parameters('storagePrefix')]\"},\"rgName\":{\"value\":\"[parameters('rgName')]\"},\"nsgName\":{\"value\":\"[field('name')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9c29499-c1d1-4195-99bd-2ec9e3a9dc89\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9c29499-c1d1-4195-99bd-2ec9e3a9dc89\"},{\"properties\":{\"displayName\":\"Storage + accounts should allow access from trusted Microsoft services\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Some + Microsoft services that interact with storage accounts operate from networks + that can't be granted access through network rules. To help this type of service + work as intended, allow the set of trusted Microsoft services to bypass the + network rules. These services will then use strong authentication to access + the storage account.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Storage\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\"exists\":\"true\"},{\"field\":\"Microsoft.Storage/storageAccounts/networkAcls.bypass\",\"notContains\":\"AzureServices\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/c9d007d0-c057-4772-b18c-01e546713bcd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"c9d007d0-c057-4772-b18c-01e546713bcd\"},{\"properties\":{\"displayName\":\"App + Configuration should use a private link\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any App Configuration instance that does not use a private link.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Configuration\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.AppConfiguration/configurationStores\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.AppConfiguration/configurationStores/privateEndpointConnections\",\"existenceCondition\":{\"field\":\"Microsoft.AppConfiguration/configurationStores/privateEndpointConnections/privateLinkServiceConnectionState.status\",\"equals\":\"Approved\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ca610c1d-041c-4332-9d88-7ed3094967c7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1035 - Least Privilege | Authorize Access To Security Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1035\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ca94b046-45e2-444f-a862-dc8ce262a516\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ca94b046-45e2-444f-a862-dc8ce262a516\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1243 - Contingency Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1243\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ca9a4469-d6df-4ab2-a42f-1213c396f0ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ca9a4469-d6df-4ab2-a42f-1213c396f0ec\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1306 - Identification And Authentication (Org. Users) | Net. + Access To Priv. Accts. - Replay\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1306\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cafc6c3c-5fc5-4c5e-a99b-a0ccb1d34eff\"},{\"properties\":{\"displayName\":\"Remote + debugging should be turned off for Web Applications\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + debugging requires inbound ports to be opened on a web application. Remote + debugging should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cb510bfd-1cba-4d9f-a230-cb0976f4bb71\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1486 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1486\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cb790345-a51f-43de-934e-98dbfaf9dca5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cb790345-a51f-43de-934e-98dbfaf9dca5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1167 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1167\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cbb2be76-4891-430b-95a7-ca0b0a3d1300\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cbb2be76-4891-430b-95a7-ca0b0a3d1300\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1374 - Incident Response Assistance\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1374\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc5c8616-52ef-4e5e-8000-491634ed9249\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc5c8616-52ef-4e5e-8000-491634ed9249\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs in which the Administrators group does not + contain only the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines in which the Administrators group does not + contain only the specified members. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembers\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc7cda28-f867-4311-8497-a526129a8d19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc7cda28-f867-4311-8497-a526129a8d19\"},{\"properties\":{\"displayName\":\"[Preview]: + Sensitive data in your SQL databases should be classified\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Azure + Security Center monitors the data discovery and classification scan results + for your SQL databases and provides recommendations to classify the sensitive + data in your databases for better monitoring and security\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security + Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Sql/servers/databases\",\"Microsoft.Sql/managedInstances/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"sqlDataClassification\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349\"},{\"properties\":{\"displayName\":\"Allowed + virtual machine SKUs\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy enables you to specify a set of virtual machine SKUs that your organization + can deploy.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Compute\"},\"parameters\":{\"listOfAllowedSKUs\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of SKUs that can be specified for virtual machines.\",\"displayName\":\"Allowed + SKUs\",\"strongType\":\"VMSKUs\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"not\":{\"field\":\"Microsoft.Compute/virtualMachines/sku.name\",\"in\":\"[parameters('listOfAllowedSKUs')]\"}}]},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cccc23c7-8427-4f53-ad12-b6a63eb452b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cccc23c7-8427-4f53-ad12-b6a63eb452b3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1443 - Media Use\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1443\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd0ec6fa-a2e7-4361-aee4-a8688659a9ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd0ec6fa-a2e7-4361-aee4-a8688659a9ed\"},{\"properties\":{\"displayName\":\"Inherit + a tag from the resource group\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + or replaces the specified tag and value from the parent resource group when + any resource is created or updated. Existing resources can be remediated by + triggering a remediation task.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"notEquals\":\"[resourceGroup().tags[parameters('tagName')]]\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd3aa116-8754-49c9-a813-ad46512ece54\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd3aa116-8754-49c9-a813-ad46512ece54\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Allow resource creation if 'department' tag set\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + resource creation only if the 'department' tag is set\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Tags\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"tags\",\"containsKey\":\"department\"}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd8dc879-a2ae-43c3-8211-1877c5755064\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd8dc879-a2ae-43c3-8211-1877c5755064\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1582 - Information System Documentation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1582\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cd9e2f38-259b-462c-bfad-0ad7ab4e65c5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cd9e2f38-259b-462c-bfad-0ad7ab4e65c5\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that allow re-use of the previous 24 passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that allow re-use of the previous 24 passwords. + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"EnforcePasswordHistory\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cdbf72d9-ac9c-4026-8a3a-491a5ac59293\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cdbf72d9-ac9c-4026-8a3a-491a5ac59293\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1104 - Audit Events\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1104\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cdd8d244-18b2-4306-a1d1-df175ae0935f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cdd8d244-18b2-4306-a1d1-df175ae0935f\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'System Audit + Policies - Privilege Use'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'System Audit Policies + - Privilege Use'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesPrivilegeUse\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ce2370f6-0ac5-4d85-8ab4-10721cc640b0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ce2370f6-0ac5-4d85-8ab4-10721cc640b0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1209 - Configuration Settings\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1209\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ce669c31-9103-4552-ae9c-cdef4e03580d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ce669c31-9103-4552-ae9c-cdef4e03580d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1242 - Contingency Planning Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1242\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf3b3293-667a-445e-a722-fa0b0afc0958\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf3b3293-667a-445e-a722-fa0b0afc0958\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1097 - Role-Based Security Training | Suspicious Communications + And Anomalous System Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1097\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf3e4836-f19e-47eb-a8cd-c3ca150452c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf3e4836-f19e-47eb-a8cd-c3ca150452c0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1424 - Maintenance Personnel | Individuals Without Appropriate + Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1424\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf55fc87-48e1-4676-a2f8-d9a8cf993283\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf55fc87-48e1-4676-a2f8-d9a8cf993283\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Key Vault should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key + Vault\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cf820ca0-f99e-4f3e-84fb-66e913812d21\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1292 - Information System Backup | Test Restoration Using + Sampling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1292\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d03516cf-0293-489f-9b32-a18f2a79f836\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d03516cf-0293-489f-9b32-a18f2a79f836\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1724 - Error Handling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1724\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d07594d1-0307-4c08-94db-5d71ff31f0f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d07594d1-0307-4c08-94db-5d71ff31f0f6\"},{\"properties\":{\"displayName\":\"[Preview]: + Container Registries should not allow unrestricted network access\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Container Registries that do not have any Network (IP or VNET) Rules configured + and allow all network access by default. Container Registries with at least + one IP / Firewall rule or configured virtual network will be deemed compliant. + For more information on Container Registry Network rules, please visit: https://aka.ms/acr/vnet.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Container + Registry\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerRegistry/registries\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction\",\"exists\":\"false\"},{\"field\":\"Microsoft.ContainerRegistry/registries/networkRuleSet.defaultAction\",\"equals\":\"Allow\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d0793b48-0edc-4296-a390-4c75d1bdfd71\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1084 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1084\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d0eb15db-dd1c-4d1d-b200-b12dd6cd060c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d0eb15db-dd1c-4d1d-b200-b12dd6cd060c\"},{\"properties\":{\"displayName\":\"Add + or replace a tag on resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Adds + or replaces the specified tag and value when any resource group is created + or updated. Existing resource groups can be remediated by triggering a remediation + task.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}},\"tagValue\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Value\",\"description\":\"Value of the tag, such as 'production'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"notEquals\":\"[parameters('tagValue')]\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"addOrReplace\",\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[parameters('tagValue')]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d157c373-a6c4-483d-aaad-570756956268\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d157c373-a6c4-483d-aaad-570756956268\"},{\"properties\":{\"displayName\":\"Enforce + SSL connection should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any PostgreSQL server that is not enforcing SSL connection. + Azure Database for PostgreSQL prefers connecting your client applications + to the PostgreSQL service using Secure Sockets Layer (SSL). Enforcing SSL + connections between your database server and your client applications helps + protect against 'man-in-the-middle' attacks by encrypting the data stream + between the server and your application\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"exists\":\"true\"},{\"field\":\"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d158790f-bfb0-486c-8631-2dc6b4e8e6af\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1620 - Denial Of Service Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1620\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d17c826b-1dec-43e1-a984-7b71c446649c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d17c826b-1dec-43e1-a984-7b71c446649c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1409 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1409\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1880188-e51a-4772-b2ab-68f5e8bd27f6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1880188-e51a-4772-b2ab-68f5e8bd27f6\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Function Apps that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + of custom domains protects a Function app from common attacks such as phishing + and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"functionapp\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux\"},{\"field\":\"kind\",\"equals\":\"functionapp,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1cb47db-b7a1-4c46-814e-aad1c0e84f3c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1cb47db-b7a1-4c46-814e-aad1c0e84f3c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1195 - Configuration Change Control | Automated Document / + Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1195\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d1e1d65c-1013-4484-bd54-991332e6a0d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d1e1d65c-1013-4484-bd54-991332e6a0d2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1721 - Spam Protection | Central Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1721\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d207aaef-7c4d-4f8c-9dce-4d62dfa3d29a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1106 - Audit Events | Reviews And Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1106\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d2b4feae-61ab-423f-a4c5-0e38ac4464d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d2b4feae-61ab-423f-a4c5-0e38ac4464d8\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1030 - Information Flow Enforcement | Physical / Logical Separation + Of Information Flows\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1030\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d3531453-b869-4606-9122-29c1cd6e7ed1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d3531453-b869-4606-9122-29c1cd6e7ed1\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs on which the DSC configuration is + not compliant\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows VMs on which + the Desired State Configuration (DSC) configuration is not compliant. This + policy is only applicable to machines with WMF 4 and above. It also creates + a system-assigned managed identity and deploys the VM extension for Guest + Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsDscConfiguration\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsDscConfiguration\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d38b4c26-9d2e-47d7-aefe-18d859a8706a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d38b4c26-9d2e-47d7-aefe-18d859a8706a\"},{\"properties\":{\"displayName\":\"Long-term + geo-redundant backup should be enabled for Azure SQL Databases\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Azure SQL Database with long-term geo-redundant backup not + enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers/databases\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies\",\"name\":\"default\",\"existenceCondition\":{\"anyOf\":[{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/weeklyRetention\",\"notEquals\":\"PT0S\"},{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/monthlyRetention\",\"notEquals\":\"PT0S\"},{\"field\":\"Microsoft.Sql/servers/databases/backupLongTermRetentionPolicies/yearlyRetention\",\"notEquals\":\"PT0S\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d38fc420-0735-4ef3-ac11-c806f651a570\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1641 - Transmission Confidentiality And Integrity | Cryptographic + Or Alternate Physical Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1641\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d39d4f68-7346-4133-8841-15318a714a24\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d39d4f68-7346-4133-8841-15318a714a24\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1249 - Contingency Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1249\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d3bf4251-0818-42db-950b-afd5b25a51c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d3bf4251-0818-42db-950b-afd5b25a51c2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1562 - Allocation Of Resources\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1562\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d4142013-7964-4163-a313-a900301c2cef\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d4142013-7964-4163-a313-a900301c2cef\"},{\"properties\":{\"displayName\":\"Virtual + machines should be connected to an approved virtual network\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any virtual machine connected to a virtual network that is not + approved.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"The + effect determines what happens when the policy rule is evaluated to match\"},\"allowedValues\":[\"Audit\",\"Deny\",\"Disabled\"],\"defaultValue\":\"Audit\"},\"virtualNetworkId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Virtual + network Id\",\"description\":\"Resource Id of the virtual network. Example: + /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkInterfaces\"},{\"not\":{\"field\":\"Microsoft.Network/networkInterfaces/ipconfigurations[*].subnet.id\",\"like\":\"[concat(parameters('virtualNetworkId'),'/*')]\"}}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d416745a-506c-48b6-8ab1-83cb814bcaa3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1383 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1383\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d4558451-e16a-4d2d-a066-fe12a6282bb9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d4558451-e16a-4d2d-a066-fe12a6282bb9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1112 - Response To Audit Processing Failures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1112\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d530aad8-4ee2-45f4-b234-c061dae683c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d530aad8-4ee2-45f4-b234-c061dae683c0\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Data Lake Analytics to stream to a regional Log + Analytics workspace when any Data Lake Analytics which is missing this diagnostic + settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_logAnalytics\"},\"logAnalytics\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Log + Analytics workspace\",\"description\":\"Select Log Analytics workspace from + dropdown list. If this workspace is outside of the scope of the assignment + you must manually grant 'Log Analytics Contributor' permissions (or similar) + to the policy assignment's principal ID.\",\"strongType\":\"omsWorkspace\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeAnalytics/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"logAnalytics\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"workspaceId\":\"[parameters('logAnalytics')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"logAnalytics\":{\"value\":\"[parameters('logAnalytics')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1585 - Security Engineering Principles\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1585\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d57f8732-5cdc-4cda-8d27-ab148e1f3a55\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d57f8732-5cdc-4cda-8d27-ab148e1f3a55\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1667 - System And Information Integrity Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1667\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d61880dc-6e38-4f2a-a30c-3406a98f8220\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d61880dc-6e38-4f2a-a30c-3406a98f8220\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1150 - Security Assessments | External Organizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1150\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d630429d-e763-40b1-8fba-d20ba7314afb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d630429d-e763-40b1-8fba-d20ba7314afb\"},{\"properties\":{\"displayName\":\"Event + Hub should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Event Hub not configured to use a virtual network service + endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.EventHub/namespaces/virtualNetworkRules\",\"existenceCondition\":{\"field\":\"Microsoft.EventHub/namespaces/virtualNetworkRules/virtualNetworkSubnetId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d63edb4a-c612-454d-b47d-191a724fcbf0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1549 - Vulnerability Scanning\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1549\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d6976a08-d969-4df2-bb38-29556c2eb48a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d6976a08-d969-4df2-bb38-29556c2eb48a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1473 - Emergency Power\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1473\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d7047705-d719-46a7-8bb0-76ad233eba71\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d7047705-d719-46a7-8bb0-76ad233eba71\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1529 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1529\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d74fdc92-1cb8-4a34-9978-8556425cd14c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d74fdc92-1cb8-4a34-9978-8556425cd14c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1350 - Identification And Authentication (Non-Org. Users) + | Use Of FICAM-Issued Profiles\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1350\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d77fd943-6ba6-4a21-ba07-22b03e347cc4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d77fd943-6ba6-4a21-ba07-22b03e347cc4\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows Server VMs on which Windows Serial Console is not + enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows Server virtual machines on which Windows Serial Console is + not enabled. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsSerialConsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d7ccd0ca-8d78-42af-a43d-6b7f928accbc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d7ccd0ca-8d78-42af-a43d-6b7f928accbc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1016 - Account Management | Automated Audit Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1016\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d8b43277-512e-40c3-ab00-14b3b6e72238\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d8b43277-512e-40c3-ab00-14b3b6e72238\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1488 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1488\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d8ef30eb-a44f-47af-8524-ac19a36d41d2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d8ef30eb-a44f-47af-8524-ac19a36d41d2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1577 - Acquisition Process | Continuous Monitoring Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1577\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d922484a-8cfc-4a6b-95a4-77d6a685407f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d922484a-8cfc-4a6b-95a4-77d6a685407f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1271 - Alternate Storage Site | Accessibility\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1271\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/da3bfb53-9c46-4010-b3db-a7ba1296dada\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"da3bfb53-9c46-4010-b3db-a7ba1296dada\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1516 - Personnel Termination\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1516\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/da3cd269-156f-435b-b472-c3af34c032ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"da3cd269-156f-435b-b472-c3af34c032ed\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Batch Account to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Batch Account to stream to a regional Event Hub + when any Batch Account which is missing this diagnostic settings is created + or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Batch/batchAccounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.Batch/batchAccounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ServiceLog\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/db51110f-0865-4a6e-b274-e2e07a5b2cd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"db51110f-0865-4a6e-b274-e2e07a5b2cd7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1277 - Alternate Processing Site | Priority Of Service\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1277\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dc43e829-3d50-4a0a-aa0f-428d551862aa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dc43e829-3d50-4a0a-aa0f-428d551862aa\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1439 - Media Sanitization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1439\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dce72873-c5f1-47c3-9b4f-6b8207fd5a45\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dce72873-c5f1-47c3-9b4f-6b8207fd5a45\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1264 - Contingency Plan Testing | Coordinate With Related + Plans\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1264\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd280d4b-50a1-42fb-a479-ece5878acf19\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd280d4b-50a1-42fb-a479-ece5878acf19\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Applications that are not using custom domains\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + of custom domains protects a web application from common attacks such as phishing + and other DNS-related attacks.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UsedCustomDomains\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd2ea520-6b06-45c3-806e-ea297c23e06a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd2ea520-6b06-45c3-806e-ea297c23e06a\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'System Audit Policies + - Policy Change'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'System Audit Policies - Policy Change'. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesPolicyChange\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd4680ed-0559-4a6a-ad10-081d14cbb484\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd4680ed-0559-4a6a-ad10-081d14cbb484\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1715 - Software, Firmware, And Information Integrity | Automated + Response To Integrity Violations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1715\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd469ae0-71a8-4adc-aafc-de6949ca3339\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd469ae0-71a8-4adc-aafc-de6949ca3339\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1678 - Malicious Code Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1678\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd533cb0-b416-4be7-8e86-4d154824dfd7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd533cb0-b416-4be7-8e86-4d154824dfd7\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1391 - Information Spillage Response | Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1391\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd6ac1a1-660e-4810-baa8-74e868e2ed47\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd6ac1a1-660e-4810-baa8-74e868e2ed47\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1146 - Security Assessments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1146\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dd83410c-ecb6-4547-8f14-748c3cbdc7ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dd83410c-ecb6-4547-8f14-748c3cbdc7ac\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1602 - Developer Security Testing And Evaluation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1602\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddae2e97-a449-499f-a1c8-aea4a7e52ec9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddae2e97-a449-499f-a1c8-aea4a7e52ec9\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Settings - + Account Policies'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Settings - Account Policies'. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecuritySettingsAccountPolicies\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddb53c61-9db4-41d4-a953-2abff5b66c12\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddb53c61-9db4-41d4-a953-2abff5b66c12\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Recovery console'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Recovery console'. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Recovery console: Allow floppy copy and access to all drives and all folders\",\"description\":\"Specifies + whether to make the Recovery Console SET command available, which allows setting + of recovery console environment variables.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsRecoveryconsole\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue', + '=', parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsRecoveryconsole\"},\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue\",\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Recovery + console: Allow floppy copy and access to all drives and all folders;ExpectedValue\",\"value\":\"[parameters('RecoveryConsoleAllowFloppyCopyAndAccessToAllDrivesAndAllFolders')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ddc0a4d5-5e08-43d5-9fd9-b586d8d7116b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1689 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1689\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/de901f2f-a01a-4456-97f0-33cda7966172\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"de901f2f-a01a-4456-97f0-33cda7966172\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1528 - Access Agreements\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1528\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/deb9797c-22f8-40e8-b342-a84003c924e6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"deb9797c-22f8-40e8-b342-a84003c924e6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1673 - Flaw Remediation | Automated Flaw Remediation Status\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1673\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/dff0b90d-5a6f-491c-b2f8-b90aa402d844\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"dff0b90d-5a6f-491c-b2f8-b90aa402d844\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Allow resource creation only in Japan data centers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Allows + resource creation in the following locations only: Japan East, Japan West\",\"metadata\":{\"category\":\"General\",\"deprecated\":true},\"parameters\":{},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"japaneast\",\"japanwest\"]}},\"then\":{\"effect\":\"Deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e01598e8-6538-41ed-95e8-8b29746cd697\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e01598e8-6538-41ed-95e8-8b29746cd697\"},{\"properties\":{\"displayName\":\"Cosmos + DB should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Cosmos DB not configured to use a virtual network service + endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DocumentDB/databaseAccounts\"},{\"field\":\"Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*].id\",\"exists\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1206 - Access Restrictions For Change | Limit Production / + Operational Privileges\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1206\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0de232d-02a0-4652-872d-88afb4ae5e91\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0de232d-02a0-4652-872d-88afb4ae5e91\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs that do not have the specified Windows + PowerShell execution policy\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + where Windows PowerShell is not configured to use the specified PowerShell + execution policy. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ExecutionPolicy\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"PowerShell + Execution Policy\",\"description\":\"The expected PowerShell execution policy.\"},\"allowedValues\":[\"AllSigned\",\"Bypass\",\"Default\",\"RemoteSigned\",\"Restricted\",\"Undefined\",\"Unrestricted\"]}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellExecutionPolicy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy', + '=', parameters('ExecutionPolicy')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"WindowsPowerShellExecutionPolicy\"},\"ExecutionPolicy\":{\"value\":\"[parameters('ExecutionPolicy')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ExecutionPolicy\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy\",\"value\":\"[parameters('ExecutionPolicy')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[PowerShellExecutionPolicy]PowerShellExecutionPolicy1;ExecutionPolicy\",\"value\":\"[parameters('ExecutionPolicy')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e0efc13a-122a-47c5-b817-2ccfe5d12615\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e0efc13a-122a-47c5-b817-2ccfe5d12615\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1714 - Software, Firmware, And Information Integrity | Automated + Notifications Of Integrity Violations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1714\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e12494fa-b81e-4080-af71-7dbacc2da0ec\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e12494fa-b81e-4080-af71-7dbacc2da0ec\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1686 - Information System Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1686\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e17085c5-0be8-4423-b39b-a52d3d1402e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e17085c5-0be8-4423-b39b-a52d3d1402e5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1722 - Spam Protection | Automatic Updates\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1722\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1da06bd-25b6-4127-a301-c313d6873fff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1da06bd-25b6-4127-a301-c313d6873fff\"},{\"properties\":{\"displayName\":\"Vulnerabilities + in security configuration on your machines should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Servers + which do not satisfy the configured baseline will be monitored by Azure Security + Center as recommendations\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"osVulnerabilities\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1047 - System Use Notification\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1047\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e1ff6d62-a55c-41ab-90ba-90bb5b7b6f62\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1276 - Alternate Processing Site | Accessibility\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1276\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e214e563-1206-4a43-a56b-ac5880c9c571\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e214e563-1206-4a43-a56b-ac5880c9c571\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1560 - System And Services Acquisition Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1560\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e29e0915-5c2f-4d09-8806-048b749ad763\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e29e0915-5c2f-4d09-8806-048b749ad763\"},{\"properties\":{\"displayName\":\"Ensure + that 'HTTP Version' is the latest, if used to run the Function app\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Periodically, + newer versions are released for HTTP either due to security flaws or to include + additional functionality. Using the latest HTTP version for web apps to take + advantage of security fixes, if any, and/or new functionalities of the newer + version.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.http20Enabled\",\"equals\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2c1c086-2d84-4019-bff3-c44ccd95113c\"},{\"properties\":{\"displayName\":\"[Preview]: + Audit Dependency Agent Deployment in VMSS - VM Image (OS) unlisted\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + VMSS as non-compliant if the VM Image (OS) is not in the list defined and + the agent is not installed. The list of OS images will be updated over time + as support is updated.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"listOfImageIdToInclude_windows\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Windows OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]},\"listOfImageIdToInclude_linux\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Optional: List of VM images that have supported Linux OS to add to scope\",\"description\":\"Example + value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'\"},\"defaultValue\":[]}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},{\"not\":{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_windows')]\"},{\"field\":\"Microsoft.Compute/imageId\",\"in\":\"[parameters('listOfImageIdToInclude_linux')]\"},{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"2008-R2-SP1\",\"2008-R2-SP1-smalldisk\",\"2012-Datacenter\",\"2012-Datacenter-smalldisk\",\"2012-R2-Datacenter\",\"2012-R2-Datacenter-smalldisk\",\"2016-Datacenter\",\"2016-Datacenter-Server-Core\",\"2016-Datacenter-Server-Core-smalldisk\",\"2016-Datacenter-smalldisk\",\"2016-Datacenter-with-Containers\",\"2016-Datacenter-with-RDSH\",\"2019-Datacenter\",\"2019-Datacenter-Core\",\"2019-Datacenter-Core-smalldisk\",\"2019-Datacenter-Core-with-Containers\",\"2019-Datacenter-Core-with-Containers-smalldisk\",\"2019-Datacenter-smalldisk\",\"2019-Datacenter-with-Containers\",\"2019-Datacenter-with-Containers-smalldisk\",\"2019-Datacenter-zhcn\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerSemiAnnual\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"Datacenter-Core-1709-smalldisk\",\"Datacenter-Core-1709-with-Containers-smalldisk\",\"Datacenter-Core-1803-with-Containers-smalldisk\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServerHPCPack\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"WindowsServerHPCPack\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2016-BYOL\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"*-WS2012R2-BYOL\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftRServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"MLServer-WS2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftVisualStudio\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"VisualStudio\",\"Windows\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftDynamicsAX\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Dynamics\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"equals\":\"Pre-Req-AX7-Onebox-U8\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"windows-data-science-vm\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsDesktop\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Windows-10\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"RHEL\",\"RHEL-SAP-HANA\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"SUSE\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"SLES\",\"SLES-HPC\",\"SLES-HPC-Priority\",\"SLES-SAP\",\"SLES-SAP-BYOS\",\"SLES-Priority\",\"SLES-BYOS\",\"SLES-SAPCAL\",\"SLES-Standard\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"12-SP2\",\"12-SP3\",\"12-SP4\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"14.04.0-LTS\",\"14.04.1-LTS\",\"14.04.5-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"16.04-LTS\",\"16.04.0-LTS\"]},{\"field\":\"Microsoft.Compute/imageSKU\",\"in\":[\"18.04-LTS\"]}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"Centos\",\"Centos-LVM\",\"CentOS-SRIOV\"]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"6.*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"like\":\"7*\"}]}]}}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.Azure.Monitoring.DependencyAgent\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2dd799a-a932-4e9d-ac17-d473bc3c6c10\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2dd799a-a932-4e9d-ac17-d473bc3c6c10\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1161 - Continuous Monitoring\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1161\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e2f8f6c6-dde4-436b-a79d-bc50e129eb3a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e2f8f6c6-dde4-436b-a79d-bc50e129eb3a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1387 - Information Spillage Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1387\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3007185-3857-43a9-8237-06ca94f1084c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3007185-3857-43a9-8237-06ca94f1084c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1479 - Fire Protection | Automatic Fire Suppression\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1479\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e327b072-281d-4f75-9c28-4216e5d72f26\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e327b072-281d-4f75-9c28-4216e5d72f26\"},{\"properties\":{\"displayName\":\"Azure + VPN gateways should not use 'basic' SKU\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy ensures that VPN gateways do not use 'basic' SKU.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworkGateways\"},{\"field\":\"Microsoft.Network/virtualNetworkGateways/gatewayType\",\"equals\":\"Vpn\"},{\"field\":\"Microsoft.Network/virtualNetworkGateways/sku.tier\",\"equals\":\"Basic\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e345b6c3-24bd-4c93-9bbb-7e5e49a17b78\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e345b6c3-24bd-4c93-9bbb-7e5e49a17b78\"},{\"properties\":{\"displayName\":\"MFA + should be enabled on accounts with read permissions on your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Multi-Factor + Authentication (MFA) should be enabled for all subscription accounts with + read privileges to prevent a breach of accounts or resources.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"EnableMFAForReadPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3576e28-8b17-4677-84c3-db2990658d64\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3576e28-8b17-4677-84c3-db2990658d64\"},{\"properties\":{\"displayName\":\"RDP + access from the Internet should be blocked\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits any network security rule that allows RDP access from Internet\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Network/networkSecurityGroups/securityRules\"},{\"allOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/access\",\"equals\":\"Allow\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\"equals\":\"Inbound\"},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\"equals\":\"3389\"},{\"value\":\"[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), + contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), + contains(range(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), + '-'))), sub(add(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), + '-'))),1), int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), + '-'))))),3389), 'false')]\",\"equals\":\"true\"},{\"count\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"where\":{\"value\":\"[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), + contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), + contains(range(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), + '-'))), sub(add(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), + '-'))),1), int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), + '-'))))),3389), 'false')]\",\"equals\":\"true\"}},\"greater\":0},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\"notEquals\":\"3389\"}}]},{\"anyOf\":[{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"*\"},{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\"equals\":\"Internet\"},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"*\"}},{\"not\":{\"field\":\"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\"notEquals\":\"Internet\"}}]}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e372f825-a257-4fb8-9175-797a8a8627d6\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Shutdown'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Shutdown'. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsShutdown\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3a77a94-cf41-4ee8-b45c-98be28841c03\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3a77a94-cf41-4ee8-b45c-98be28841c03\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Settings + - Account Policies'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Settings - + Account Policies'. It also creates a system-assigned managed identity and + deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"EnforcePasswordHistory\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Enforce password history\",\"description\":\"Specifies limits on password + reuse - how many times a new password must be created for a user account before + the password can be repeated.\"},\"defaultValue\":\"24\"},\"MaximumPasswordAge\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Maximum password age\",\"description\":\"Specifies the maximum number of days + that may elapse before a user account password must be changed. The format + of the value is two integers separated by a comma, denoting an inclusive range.\"},\"defaultValue\":\"1,70\"},\"MinimumPasswordAge\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Minimum password age\",\"description\":\"Specifies the minimum number of days + that must elapse before a user account password can be changed.\"},\"defaultValue\":\"1\"},\"MinimumPasswordLength\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Minimum password length\",\"description\":\"Specifies the minimum number of + characters that a user account password may contain.\"},\"defaultValue\":\"14\"},\"PasswordMustMeetComplexityRequirements\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Password must meet complexity requirements\",\"description\":\"Specifies whether + a user account password must be complex. If required, a complex password must + not contain part of user's account name or full name; be at least 6 characters + long; contain a mix of uppercase, lowercase, number, and non-alphabetic characters.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecuritySettingsAccountPolicies\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Enforce + password history;ExpectedValue', '=', parameters('EnforcePasswordHistory'), + ',', 'Maximum password age;ExpectedValue', '=', parameters('MaximumPasswordAge'), + ',', 'Minimum password age;ExpectedValue', '=', parameters('MinimumPasswordAge'), + ',', 'Minimum password length;ExpectedValue', '=', parameters('MinimumPasswordLength'), + ',', 'Password must meet complexity requirements;ExpectedValue', '=', parameters('PasswordMustMeetComplexityRequirements')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecuritySettingsAccountPolicies\"},\"EnforcePasswordHistory\":{\"value\":\"[parameters('EnforcePasswordHistory')]\"},\"MaximumPasswordAge\":{\"value\":\"[parameters('MaximumPasswordAge')]\"},\"MinimumPasswordAge\":{\"value\":\"[parameters('MinimumPasswordAge')]\"},\"MinimumPasswordLength\":{\"value\":\"[parameters('MinimumPasswordLength')]\"},\"PasswordMustMeetComplexityRequirements\":{\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"EnforcePasswordHistory\":{\"type\":\"string\"},\"MaximumPasswordAge\":{\"type\":\"string\"},\"MinimumPasswordAge\":{\"type\":\"string\"},\"MinimumPasswordLength\":{\"type\":\"string\"},\"PasswordMustMeetComplexityRequirements\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enforce + password history;ExpectedValue\",\"value\":\"[parameters('EnforcePasswordHistory')]\"},{\"name\":\"Maximum + password age;ExpectedValue\",\"value\":\"[parameters('MaximumPasswordAge')]\"},{\"name\":\"Minimum + password age;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordAge')]\"},{\"name\":\"Minimum + password length;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordLength')]\"},{\"name\":\"Password + must meet complexity requirements;ExpectedValue\",\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Enforce + password history;ExpectedValue\",\"value\":\"[parameters('EnforcePasswordHistory')]\"},{\"name\":\"Maximum + password age;ExpectedValue\",\"value\":\"[parameters('MaximumPasswordAge')]\"},{\"name\":\"Minimum + password age;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordAge')]\"},{\"name\":\"Minimum + password length;ExpectedValue\",\"value\":\"[parameters('MinimumPasswordLength')]\"},{\"name\":\"Password + must meet complexity requirements;ExpectedValue\",\"value\":\"[parameters('PasswordMustMeetComplexityRequirements')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3d95ab7-f47a-49d8-a347-784177b6c94c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3d95ab7-f47a-49d8-a347-784177b6c94c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1451 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1451\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e3f1e5a3-25c1-4476-8cb6-3955031f8e65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e3f1e5a3-25c1-4476-8cb6-3955031f8e65\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1357 - Incident Response Training | Automated Training Environments\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1357\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e4213689-05e8-4241-9d4e-8dd1cdafd105\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e4213689-05e8-4241-9d4e-8dd1cdafd105\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - User Account Control'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + User Account Control'. It also creates a system-assigned managed identity + and deploys the VM extension for Guest Configuration. This policy should only + be used along with its corresponding audit policy in an initiative. For more + information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + UAC: Admin Approval Mode for the Built-in Administrator account\",\"description\":\"Specifies + the behavior of Admin Approval Mode for the built-in Administrator account.\"},\"defaultValue\":\"1\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + UAC: Behavior of the elevation prompt for administrators in Admin Approval + Mode\",\"description\":\"Specifies the behavior of the elevation prompt for + administrators.\"},\"defaultValue\":\"2\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + UAC: Detect application installations and prompt for elevation\",\"description\":\"Specifies + the behavior of application installation detection for the computer.\"},\"defaultValue\":\"1\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + UAC: Run all administrators in Admin Approval Mode\",\"description\":\"Specifies + the behavior of all User Account Control (UAC) policy settings for the computer.\"},\"defaultValue\":\"1\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsUserAccountControl\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue', + '=', parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount'), + ',', 'User Account Control: Behavior of the elevation prompt for administrators + in Admin Approval Mode;ExpectedValue', '=', parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode'), + ',', 'User Account Control: Detect application installations and prompt for + elevation;ExpectedValue', '=', parameters('UACDetectApplicationInstallationsAndPromptForElevation'), + ',', 'User Account Control: Run all administrators in Admin Approval Mode;ExpectedValue', + '=', parameters('UACRunAllAdministratorsInAdminApprovalMode')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsUserAccountControl\"},\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"UACAdminApprovalModeForTheBuiltinAdministratorAccount\":{\"type\":\"string\"},\"UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode\":{\"type\":\"string\"},\"UACDetectApplicationInstallationsAndPromptForElevation\":{\"type\":\"string\"},\"UACRunAllAdministratorsInAdminApprovalMode\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue\",\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},{\"name\":\"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},{\"name\":\"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue\",\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},{\"name\":\"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"User + Account Control: Admin Approval Mode for the Built-in Administrator account;ExpectedValue\",\"value\":\"[parameters('UACAdminApprovalModeForTheBuiltinAdministratorAccount')]\"},{\"name\":\"User + Account Control: Behavior of the elevation prompt for administrators in Admin + Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACBehaviorOfTheElevationPromptForAdministratorsInAdminApprovalMode')]\"},{\"name\":\"User + Account Control: Detect application installations and prompt for elevation;ExpectedValue\",\"value\":\"[parameters('UACDetectApplicationInstallationsAndPromptForElevation')]\"},{\"name\":\"User + Account Control: Run all administrators in Admin Approval Mode;ExpectedValue\",\"value\":\"[parameters('UACRunAllAdministratorsInAdminApprovalMode')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e425e402-a050-45e5-b010-bd3f934589fc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e425e402-a050-45e5-b010-bd3f934589fc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1340 - Authenticator Management | No Embedded Unencrypted + Static Authenticators\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1340\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e51ff84b-e5ea-408f-b651-2ecc2933e4c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e51ff84b-e5ea-408f-b651-2ecc2933e4c6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1381 - Incident Response Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1381\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e5368258-9684-4567-8126-269f34e65eab\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e5368258-9684-4567-8126-269f34e65eab\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1421 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1421\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e539caaa-da8c-41b8-9e1e-449851e2f7a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e539caaa-da8c-41b8-9e1e-449851e2f7a6\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1716 - Software, Firmware, And Information Integrity | Integration + Of Detection And Response\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1716\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e54c325e-42a0-4dcf-b105-046e0f6f590f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e54c325e-42a0-4dcf-b105-046e0f6f590f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1023 - Account Management | Usage Conditions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1023\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e55698b6-3dea-4aa9-99b9-d8218c6ab6e5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e55698b6-3dea-4aa9-99b9-d8218c6ab6e5\"},{\"properties\":{\"displayName\":\"Allowed + locations\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy enables you to restrict the locations your organization can specify + when deploying resources. Use to enforce your geo-compliance requirements. + Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and + resources that use the 'global' region.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfAllowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources.\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"location\",\"notIn\":\"[parameters('listOfAllowedLocations')]\"},{\"field\":\"location\",\"notEquals\":\"global\"},{\"field\":\"type\",\"notEquals\":\"Microsoft.AzureActiveDirectory/b2cDirectories\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e56962a6-4747-49cd-b67b-bf8b01975c4c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e56962a6-4747-49cd-b67b-bf8b01975c4c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1296 - Information System Recovery And Reconstitution | Transaction + Recovery\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1296\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e57b98a0-a011-4956-a79d-5d17ed8b8e48\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e57b98a0-a011-4956-a79d-5d17ed8b8e48\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1499 - Rules Of Behavior\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1499\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e59671ab-9720-4ee2-9c60-170e8c82251e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e59671ab-9720-4ee2-9c60-170e8c82251e\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Accounts'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Accounts'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AccountsGuestAccountStatus\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Accounts: Guest account status\",\"description\":\"Specifies whether the local + Guest account is disabled.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsAccounts\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Accounts: + Guest account status;ExpectedValue', '=', parameters('AccountsGuestAccountStatus')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsAccounts\"},\"AccountsGuestAccountStatus\":{\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AccountsGuestAccountStatus\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Accounts: + Guest account status;ExpectedValue\",\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Accounts: + Guest account status;ExpectedValue\",\"value\":\"[parameters('AccountsGuestAccountStatus')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e5b81f87-9185-4224-bf00-9f505e9f89f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e5b81f87-9185-4224-bf00-9f505e9f89f3\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Applications that are not using latest supported Node.js Framework\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Use + the latest supported Node.js version for the latest security classes. Using + older classes and types can make your application vulnerable.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"UseLatestNodeJS\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e67687e8-08d5-4e7f-8226-5b4753bba008\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e67687e8-08d5-4e7f-8226-5b4753bba008\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1465 - Monitoring Physical Access | Monitoring Physical Access + To Information Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1465\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e6e41554-86b5-4537-9f7f-4fc41a1d1640\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e6e41554-86b5-4537-9f7f-4fc41a1d1640\"},{\"properties\":{\"displayName\":\"Subnets + should be associated with a Network Security Group\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Protect + your subnet from potential threats by restricting access to it with a Network + Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules + that allow or deny network traffic to your subnet.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks/subnets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"networkSecurityGroupsOnSubnets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e71308d3-144b-4262-b144-efdc3cc90517\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1567 - System Development Life Cycle\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1567\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e72edbf6-aa61-436d-a227-0f32b77194b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e72edbf6-aa61-436d-a227-0f32b77194b3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1311 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1311\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e7568697-0c9e-4ea3-9cec-9e567d14f3c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e7568697-0c9e-4ea3-9cec-9e567d14f3c6\"},{\"properties\":{\"displayName\":\"Advanced + Threat Protection types should be set to 'All' in SQL server Advanced Data + Security settings\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"It + is recommended to enable all Advanced Threat Protection types on your SQL + servers. Enabling all types protects against SQL injection, database vulnerabilities, + and any other anomalous activities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/securityAlertPolicies\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/securityAlertPolicies/disabledAlerts[*]\",\"equals\":\"\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e756b945-1b1b-480b-8de8-9a0859d5f7ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e756b945-1b1b-480b-8de8-9a0859d5f7ad\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1154 - System Interconnections | Unclassified Non-National + Security System Connections\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1154\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e757ceb9-93b3-45fe-a4f4-f43f64f1ac5a\"},{\"properties\":{\"displayName\":\"Allowed + locations for resource groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy enables you to restrict the locations your organization can create + resource groups in. Use to enforce your geo-compliance requirements.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"General\"},\"parameters\":{\"listOfAllowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that resource groups can be created in.\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions/resourceGroups\"},{\"field\":\"location\",\"notIn\":\"[parameters('listOfAllowedLocations')]\"}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e765b5de-1225-4ba3-bd56-1ac6695af988\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e765b5de-1225-4ba3-bd56-1ac6695af988\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1273 - Alternate Processing Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1273\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e77fcbf2-a1e8-44f1-860e-ed6583761e65\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e77fcbf2-a1e8-44f1-860e-ed6583761e65\"},{\"properties\":{\"displayName\":\"[Deprecated]: + Audit Web Sockets state for a Web Application\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"The + Web Sockets protocol is vulnerable to different types of security threats. + Use of Web Sockets within a web application must be carefully reviewed.\",\"metadata\":{\"version\":\"1.0.0-deprecated\",\"category\":\"Security + Center\",\"deprecated\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Deprecated]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"microsoft.Web/sites\"},{\"anyOf\":[{\"field\":\"kind\",\"equals\":\"app\"},{\"field\":\"kind\",\"equals\":\"WebApp\"},{\"field\":\"kind\",\"equals\":\"app,linux\"},{\"field\":\"kind\",\"equals\":\"app,linux,container\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"DisableWebSockets\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e797f851-8be7-4c40-bb56-2e3395215b0e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e797f851-8be7-4c40-bb56-2e3395215b0e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1169 - Continuous Monitoring | Trend Analyses\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1169\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e7ba2cb3-5675-4468-8b50-8486bdd998a5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e7ba2cb3-5675-4468-8b50-8486bdd998a5\"},{\"properties\":{\"displayName\":\"Enforce + SSL connection should be enabled for MySQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any MySQL server that is not enforcing SSL connection. Azure + Database for MySQL supports connecting your Azure Database for MySQL server + to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections + between your database server and your client applications helps protect against + 'man in the middle' attacks by encrypting the data stream between the server + and your application.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.DBforMySQL/servers\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"exists\":\"true\"},{\"field\":\"Microsoft.DBforMySQL/servers/sslEnforcement\",\"notEquals\":\"Enabled\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e802a67a-daf5-4436-9ea6-f6d821dd0c5d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1237 - Software Usage Restrictions | Open Source Software\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1237\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e80b6812-0bfa-4383-8223-cdd86a46a890\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e80b6812-0bfa-4383-8223-cdd86a46a890\"},{\"properties\":{\"displayName\":\"Vulnerabilities + in container security configurations should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + vulnerabilities in security configuration on machines with Docker installed + and display as recommendations in Azure Security Center.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\",\"Microsoft.Compute/virtualMachineScaleSets\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"ContainerBenchmark\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8cbc669-f12d-49eb-93e7-9273119e9933\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Data Lake Storage Gen1 to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Data Lake Storage Gen1 to stream to a regional + Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic + settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DataLakeStore/accounts\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.DataLakeStore/accounts/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Audit\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Requests\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8d096bc-85de-4c5f-8cfb-857bd1b9d62d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8d096bc-85de-4c5f-8cfb-857bd1b9d62d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1626 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1626\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e8f6bddd-6d67-439a-88d4-c5fe39a79341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e8f6bddd-6d67-439a-88d4-c5fe39a79341\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1502 - Rules Of Behavior | Social Media And Networking Restrictions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1502\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e901375c-8f01-4ac8-9183-d5312f47fe63\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e901375c-8f01-4ac8-9183-d5312f47fe63\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1723 - Information Input Validation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1723\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e91927a0-ac1d-44a0-95f8-5185f9dfce9f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e91927a0-ac1d-44a0-95f8-5185f9dfce9f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1200 - Security Impact Analysis\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1200\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e98fe9d7-2ed3-44f8-93b7-24dca69783ff\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e98fe9d7-2ed3-44f8-93b7-24dca69783ff\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1487 - Alternate Work Site\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1487\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e9c3371d-c30c-4f58-abd9-30b8a8199571\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e9c3371d-c30c-4f58-abd9-30b8a8199571\"},{\"properties\":{\"displayName\":\"Remote + debugging should be turned off for API Apps\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Remote + debugging requires inbound ports to be opened on an API apps. Remote debugging + should be turned off.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"*api\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/remoteDebuggingEnabled\",\"equals\":\"false\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e9c8d085-d9cc-4b17-9cdc-059f1f01f19e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1363 - Incident Handling | Automated Incident Handling Processes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1363\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea3e8156-89a1-45b1-8bd6-938abc79fdfd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea3e8156-89a1-45b1-8bd6-938abc79fdfd\"},{\"properties\":{\"displayName\":\"Inherit + a tag from the resource group if missing\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Adds + the specified tag with its value from the parent resource group when any resource + missing this tag is created or updated. Existing resources can be remediated + by triggering a remediation task. If the tag exists with a different value + it will not be changed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Tags\"},\"parameters\":{\"tagName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Tag + Name\",\"description\":\"Name of the tag, such as 'environment'\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"exists\":\"false\"},{\"value\":\"[resourceGroup().tags[parameters('tagName')]]\",\"notEquals\":\"\"}]},\"then\":{\"effect\":\"modify\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"operations\":[{\"operation\":\"add\",\"field\":\"[concat('tags[', + parameters('tagName'), ']')]\",\"value\":\"[resourceGroup().tags[parameters('tagName')]]\"}]}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea3f2387-9b95-492a-a190-fcdc54f7b070\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea3f2387-9b95-492a-a190-fcdc54f7b070\"},{\"properties\":{\"displayName\":\"Key + Vault should use a virtual network service endpoint\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Key Vault not configured to use a virtual network service + endpoint.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},{\"anyOf\":[{\"field\":\"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\"notEquals\":\"Deny\"},{\"field\":\"Microsoft.KeyVault/vaults/networkAcls.virtualNetworkRules[*].id\",\"exists\":\"false\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea4d6841-2173-4317-9747-ff522a45120f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1422 - Maintenance Personnel\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1422\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ea556850-838d-4a37-8ce5-9d7642f95e11\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ea556850-838d-4a37-8ce5-9d7642f95e11\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1542 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1542\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eab340d0-3d55-4826-a0e5-feebfeb0131d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eab340d0-3d55-4826-a0e5-feebfeb0131d\"},{\"properties\":{\"displayName\":\"Ensure + Function app has 'Client Certificates (Incoming client certificates)' set + to 'On'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Client + certificates allow for the app to request a certificate for incoming requests. + Only clients that have a valid certificate will be able to reach the app.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"},{\"field\":\"Microsoft.Web/sites/clientCertEnabled\",\"equals\":\"false\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eaebaea7-8013-4ceb-9d14-7eb32271373c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eaebaea7-8013-4ceb-9d14-7eb32271373c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1064 - Remote Access | Privileged Commands / Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1064\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb4d9508-cbf0-4a3c-bb5c-6c95b159f3fb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1321 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1321\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb627cc6-3a9d-46b5-96b7-5fca49178a37\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb627cc6-3a9d-46b5-96b7-5fca49178a37\"},{\"properties\":{\"displayName\":\"Log + checkpoints should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy helps audit any PostgreSQL databases in your environment without log_checkpoints + setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_checkpoints\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e43d\"},{\"properties\":{\"displayName\":\"Log + connections should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy helps audit any PostgreSQL databases in your environment without log_connections + setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_connections\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e442\"},{\"properties\":{\"displayName\":\"Disconnections + should be logged for PostgreSQL database servers.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy helps audit any PostgreSQL databases in your environment without log_disconnections + enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_disconnections\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e446\"},{\"properties\":{\"displayName\":\"Log + duration should be enabled for PostgreSQL database servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy helps audit any PostgreSQL databases in your environment without log_duration + setting enabled.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.DBforPostgreSQL/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.DBforPostgreSQL/servers/configurations\",\"name\":\"log_duration\",\"existenceCondition\":{\"field\":\"Microsoft.DBforPostgreSQL/servers/configurations/value\",\"equals\":\"ON\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eb6f77b9-bd53-4e35-a23d-7f65d5f0e8f3\"},{\"properties\":{\"displayName\":\"Deprecated + accounts with owner permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Deprecated + accounts with owner permissions should be removed from your subscription. + \ Deprecated accounts are accounts that have been blocked from signing in.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveDeprecatedAccountsWithOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ebb62a0c-3560-49e1-89ed-27e074e9f8ad\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ebb62a0c-3560-49e1-89ed-27e074e9f8ad\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Linux VMs that allow remote connections from + accounts without passwords\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Linux virtual machines + that allow remote connections from accounts without passwords. It also creates + a system-assigned managed identity and deploys the VM extension for Guest + Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid110\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid110\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ec49586f-4939-402d-a29e-6ff502b20592\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ec49586f-4939-402d-a29e-6ff502b20592\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Administrative + Templates - Control Panel'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Administrative Templates + - Control Panel'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdministrativeTemplatesControlPanel\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdministrativeTemplatesControlPanel\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ec7ac234-2af5-4729-94d2-c557c071799d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ec7ac234-2af5-4729-94d2-c557c071799d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1241 - User-Installed Software | Alerts For Unauthorized Installations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1241\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/eca4d7b2-65e2-4e04-95d4-c68606b063c3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"eca4d7b2-65e2-4e04-95d4-c68606b063c3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1622 - Boundary Protection\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1622\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ecf56554-164d-499a-8d00-206b07c27bed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ecf56554-164d-499a-8d00-206b07c27bed\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Key Vault to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Key Vault to stream to a regional Event Hub when + any Key Vault which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Key + Vault\"},\"parameters\":{\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.KeyVault/vaults\"},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vaultName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"resources\":[{\"type\":\"Microsoft.KeyVault/vaults/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('vaultName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"AuditEvent\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{\"policy\":{\"type\":\"string\",\"value\":\"[concat('Enabled + diagnostic settings for ', parameters('vaultName'))]\"}}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"vaultName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ed7c8c13-51e7-49d1-8a43-8490431a0da2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1217 - Least Functionality | Periodic Review\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1217\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/edea4f20-b02c-4115-be75-86c080e5c0ed\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"edea4f20-b02c-4115-be75-86c080e5c0ed\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Stream Analytics to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Stream Analytics to stream to a regional Event + Hub when any Stream Analytics which is missing this diagnostic settings is + created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingjobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"Execution\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"Authoring\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/edf3780c-3d70-40fe-b17e-ab72013dafca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"edf3780c-3d70-40fe-b17e-ab72013dafca\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1189 - Configuration Change Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1189\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ee45e02a-4140-416c-82c4-fecfea660b9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ee45e02a-4140-416c-82c4-fecfea660b9d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1089 - Security Awareness Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Awareness and Training control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1089\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef080e67-0d1a-4f76-a0c5-fb9b0358485e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef080e67-0d1a-4f76-a0c5-fb9b0358485e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1314 - Identifier Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1314\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef0c8530-efd9-45b8-b753-f03083d06295\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef0c8530-efd9-45b8-b753-f03083d06295\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1128 - Time Stamps\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1128\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef212163-3bc4-4e86-bcf8-705127086393\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef212163-3bc4-4e86-bcf8-705127086393\"},{\"properties\":{\"displayName\":\"Vulnerability + assessment should be enabled on your SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + Azure SQL servers which do not have recurring vulnerability assessment scans + enabled. Vulnerability assessment can discover, track, and help you remediate + potential database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Sql/servers/vulnerabilityAssessments\",\"name\":\"default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/servers/vulnerabilityAssessments/recurringScans.isEnabled\",\"equals\":\"True\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9\"},{\"properties\":{\"displayName\":\"Deploy + Diagnostic Settings for Event Hub to Event Hub\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Deploys + the diagnostic settings for Event Hub to stream to a regional Event Hub when + any Event Hub which is missing this diagnostic settings is created or updated.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"DeployIfNotExists\",\"Disabled\"],\"defaultValue\":\"DeployIfNotExists\"},\"profileName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Profile + name\",\"description\":\"The diagnostic settings profile name\"},\"defaultValue\":\"setbypolicy_eventHub\"},\"eventHubRuleId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Event + Hub Authorization Rule Id\",\"description\":\"The Event Hub authorization + rule Id for Azure Diagnostics. The authorization rule needs to be at Event + Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource + group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization + rule}\",\"strongType\":\"Microsoft.EventHub/Namespaces/AuthorizationRules\",\"assignPermissions\":true}},\"metricsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + metrics\",\"description\":\"Whether to enable metrics stream to the Event + Hub - True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"False\"},\"logsEnabled\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Enable + logs\",\"description\":\"Whether to enable logs stream to the Event Hub - + True or False\"},\"allowedValues\":[\"True\",\"False\"],\"defaultValue\":\"True\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"name\":\"[parameters('profileName')]\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"[parameters('logsEnabled')]\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/metrics.enabled\",\"equals\":\"[parameters('metricsEnabled')]\"}]},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"resourceName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"eventHubRuleId\":{\"type\":\"string\"},\"metricsEnabled\":{\"type\":\"string\"},\"logsEnabled\":{\"type\":\"string\"},\"profileName\":{\"type\":\"string\"}},\"variables\":{},\"resources\":[{\"type\":\"Microsoft.EventHub/namespaces/providers/diagnosticSettings\",\"apiVersion\":\"2017-05-01-preview\",\"name\":\"[concat(parameters('resourceName'), + '/', 'Microsoft.Insights/', parameters('profileName'))]\",\"location\":\"[parameters('location')]\",\"dependsOn\":[],\"properties\":{\"eventHubAuthorizationRuleId\":\"[parameters('eventHubRuleId')]\",\"metrics\":[{\"category\":\"AllMetrics\",\"enabled\":\"[parameters('metricsEnabled')]\",\"retentionPolicy\":{\"enabled\":false,\"days\":0}}],\"logs\":[{\"category\":\"ArchiveLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"OperationalLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"AutoScaleLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"KafkaCoordinatorLogs\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"EventHubVNetConnectionEvent\",\"enabled\":\"[parameters('logsEnabled')]\"},{\"category\":\"CustomerManagedKeyUserLogs\",\"enabled\":\"[parameters('logsEnabled')]\"}]}}],\"outputs\":{}},\"parameters\":{\"location\":{\"value\":\"[field('location')]\"},\"resourceName\":{\"value\":\"[field('name')]\"},\"eventHubRuleId\":{\"value\":\"[parameters('eventHubRuleId')]\"},\"metricsEnabled\":{\"value\":\"[parameters('metricsEnabled')]\"},\"logsEnabled\":{\"value\":\"[parameters('logsEnabled')]\"},\"profileName\":{\"value\":\"[parameters('profileName')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef7b61ef-b8e4-4c91-8e78-6946c6b0023f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef7b61ef-b8e4-4c91-8e78-6946c6b0023f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1472 - Emergency Shutoff\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1472\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ef869332-921d-4c28-9402-3be73e6e50c8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ef869332-921d-4c28-9402-3be73e6e50c8\"},{\"properties\":{\"displayName\":\"The + Log Analytics agent should be installed on Virtual Machine Scale Sets\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics + agent is not installed.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachineScaleSets\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Compute/virtualMachineScaleSets/extensions\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/type\",\"in\":[\"MicrosoftMonitoringAgent\",\"OmsAgentForLinux\"]},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState\",\"equals\":\"Succeeded\"},{\"field\":\"Microsoft.Compute/virtualMachineScaleSets/extensions/settings.workspaceId\",\"exists\":\"true\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"efbde977-ba53-4479-b8e9-10b957924fbf\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1012 - Account Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1012\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/efd7b9ae-1db6-4eb6-b0fe-87e6565f9738\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"efd7b9ae-1db6-4eb6-b0fe-87e6565f9738\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1358 - Incident Response Testing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Incident Response control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1358\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/effbaeef-5bf4-400d-895e-ef8cbc0e64c7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"effbaeef-5bf4-400d-895e-ef8cbc0e64c7\"},{\"properties\":{\"displayName\":\"Ensure + that Register with Azure Active Directory is enabled on Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Managed + service identity in App Service makes the app more secure by eliminating secrets + from the app, such as credentials in the connection strings. When registering + with Azure Active Directory in the app service, the app will connect to other + Azure services securely without the need of username and passwords\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/web.managedServiceIdentityId\",\"exists\":\"true\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0473e7a-a1ba-4e86-afb2-e829e11b01d8\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0473e7a-a1ba-4e86-afb2-e829e11b01d8\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to audit Windows VMs that have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that have the specified applications installed. It also creates a system-assigned + managed identity and deploys the VM extension for Guest Configuration. This + policy should only be used along with its corresponding audit policy in an + initiative. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"parameters\":{\"ApplicationName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Application + names (supports wildcards)\",\"description\":\"A semicolon-separated list + of the names of the applications that should not be installed. e.g. 'Microsoft + SQL Server 2014 (64-bit); Microsoft Visual Studio Code' or 'Microsoft SQL + Server 2014*' (to match any application starting with 'Microsoft SQL Server + 2014')\"}}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"NotInstalledApplication\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[InstalledApplication]NotInstalledApplicationResource1;Name', + '=', parameters('ApplicationName')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"NotInstalledApplication\"},\"ApplicationName\":{\"value\":\"[parameters('ApplicationName')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"ApplicationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]NotInstalledApplicationResource1;Name\",\"value\":\"[parameters('ApplicationName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[InstalledApplication]NotInstalledApplicationResource1;Name\",\"value\":\"[parameters('ApplicationName')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0633351-c7b2-41ff-9981-508fc08553c2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0633351-c7b2-41ff-9981-508fc08553c2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1531 - Third-Party Personnel Security\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1531\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0643e0c-eee5-4113-8684-c608d05c5236\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0643e0c-eee5-4113-8684-c608d05c5236\"},{\"properties\":{\"displayName\":\"Latest + TLS version should be used in your Web App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade + to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"app*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1028 - Information Flow Enforcement\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1028\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f171df5c-921b-41e9-b12b-50801c315475\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f171df5c-921b-41e9-b12b-50801c315475\"},{\"properties\":{\"displayName\":\"Virtual + networks should use specified virtual network gateway\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy audits any virtual network if the default route does not point to the + specified virtual network gateway.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Network\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"virtualNetworkGatewayId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Virtual + network gateway Id\",\"description\":\"Resource Id of the virtual network + gateway. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Network/virtualNetworks\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Network/virtualNetworks/subnets\",\"name\":\"GatewaySubnet\",\"existenceCondition\":{\"not\":{\"field\":\"Microsoft.Network/virtualNetworks/subnets/ipConfigurations[*].id\",\"notContains\":\"[concat(parameters('virtualNetworkGatewayId'), + '/')]\"}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f1776c76-f58c-4245-a8d0-2b207198dc8b\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Linux VMs that do not have the passwd file permissions + set to 0644\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Linux virtual machines + that do not have the passwd file permissions set to 0644. It also creates + a system-assigned managed identity and deploys the VM extension for Guest + Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordPolicy_msid121\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"PasswordPolicy_msid121\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f19aa1c1-6b91-4c27-ae6a-970279f03db9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f19aa1c1-6b91-4c27-ae6a-970279f03db9\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Administrative + Templates - MSS (Legacy)'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Administrative Templates + - MSS (Legacy)'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.1-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\",\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_AdminstrativeTemplatesMSSLegacy\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\"}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f1f4825d-58fb-4257-8016-8c00e3c9ed9d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f1f4825d-58fb-4257-8016-8c00e3c9ed9d\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1701 - Information System Monitoring | Host-Based Devices\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1701\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f25bc08f-27cb-43b6-9a23-014d00700426\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f25bc08f-27cb-43b6-9a23-014d00700426\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1457 - Physical Access Control\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1457\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f2d9d3e6-8886-4305-865d-639163e5c305\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f2d9d3e6-8886-4305-865d-639163e5c305\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1309 - Identification And Authentication (Org. Users) | Acceptance + Of Piv Credentials\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1309\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f355d62b-39a8-4ba3-abf7-90f71cb3b000\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f355d62b-39a8-4ba3-abf7-90f71cb3b000\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1615 - System And Communications Protection Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1615\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f35e02aa-0a55-49f8-8811-8abfa7e6f2c0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f35e02aa-0a55-49f8-8811-8abfa7e6f2c0\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1255 - Contingency Plan | Continue Essential Missions / Business + Functions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1255\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3793f5e-937f-44f7-bfba-40647ef3efa0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3793f5e-937f-44f7-bfba-40647ef3efa0\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs in which the Administrators group does not + contain all of the specified members\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines in which the Administrators group does not + contain all of the specified members. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AdministratorsGroupMembersToInclude\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3b44e5d-1456-475f-9c67-c66c4618e85a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3b44e5d-1456-475f-9c67-c66c4618e85a\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that do not contain the specified certificates + in Trusted Root\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows VMs that do not contain the specified certificates in the + Trusted Root Certification Authorities certificate store (Cert:\\\\LocalMachine\\\\Root). + For more information on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsCertificateInTrustedRoot\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f3b9ad83-000d-4dc1-bff0-6d54533dd03f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f3b9ad83-000d-4dc1-bff0-6d54533dd03f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1706 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1706\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f475ee0e-f560-4c9b-876b-04a77460a404\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f475ee0e-f560-4c9b-876b-04a77460a404\"},{\"properties\":{\"displayName\":\"[Preview]: + Audit Log Analytics Workspace for VM - Report Mismatch\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Reports + VMs as non-compliant if they not logging to the LA workspace specified in + the policy/initiative assignment.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Monitoring\",\"preview\":true},\"parameters\":{\"logAnalyticsWorkspaceId\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Log Analytics Workspace Id that VMs should be configured for\",\"description\":\"This + is the Id (GUID) of the Log Analytics Workspace that the VMs should be configured + for.\"}}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines/extensions\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.EnterpriseCloud.Monitoring\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/settings.workspaceId\",\"notEquals\":\"[parameters('logAnalyticsWorkspaceId')]\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f47b5582-33ec-4c5c-87c0-b010a6b2e917\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f47b5582-33ec-4c5c-87c0-b010a6b2e917\"},{\"properties\":{\"displayName\":\"Authorization + rules on the Event Hub instance should be defined\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Audit + existence of authorization rules on Event Hub entities to grant least-privileged + access\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Event Hub\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.EventHub/namespaces/eventhubs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.EventHub/namespaces/eventHubs/authorizationRules\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4826e5f-6a27-407c-ae3e-9582eb39891d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4826e5f-6a27-407c-ae3e-9582eb39891d\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs that do not have the password complexity + setting enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines that do not have the password complexity + setting enabled. For more information on Guest Configuration policies, please + visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"PasswordMustMeetComplexityRequirements\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f48b2913-1dc5-4834-8c72-ccc1dfd819bb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f48b2913-1dc5-4834-8c72-ccc1dfd819bb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1495 - System Security Plan\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1495\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4978d0e-a596-48e7-9f8c-bbf52554ce8d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4978d0e-a596-48e7-9f8c-bbf52554ce8d\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs that have not restarted within the + specified number of days\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + that have not restarted within the specified number of days. It also creates + a system-assigned managed identity and deploys the VM extension for Guest + Configuration. This policy should only be used along with its corresponding + audit policy in an initiative. For more information on Guest Configuration + policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NumberOfDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Number of days\",\"description\":\"The number of days without restart until + the machine is considered non-compliant\"},\"defaultValue\":\"12\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"MachineLastBootUpTime\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('[MachineUpTime]MachineLastBootUpTime;NumberOfDays', + '=', parameters('NumberOfDays')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"MachineLastBootUpTime\"},\"NumberOfDays\":{\"value\":\"[parameters('NumberOfDays')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NumberOfDays\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[MachineUpTime]MachineLastBootUpTime;NumberOfDays\",\"value\":\"[parameters('NumberOfDays')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"[MachineUpTime]MachineLastBootUpTime;NumberOfDays\",\"value\":\"[parameters('NumberOfDays')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4b245d4-46c9-42be-9b1a-49e2b5b94194\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4b245d4-46c9-42be-9b1a-49e2b5b94194\"},{\"properties\":{\"displayName\":\"Deploy + Auditing on SQL servers\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy ensures that Auditing is enabled on SQL Servers for enhanced security + and compliance. It will automatically create a storage account in the same + region as the SQL server to store audit records.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"SQL\"},\"parameters\":{\"retentionDays\":{\"type\":\"String\",\"metadata\":{\"description\":\"The + value in days of the retention period (0 indicates unlimited retention)\",\"displayName\":\"Retention + days (optional, 180 days if unspecified)\"},\"defaultValue\":\"180\"},\"storageAccountsResourceGroup\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Resource + group name for storage accounts\",\"description\":\"Auditing writes database + events to an audit log in your Azure Storage account (a storage account will + be created in each region where a SQL Server is created that will be shared + by all servers in that region). Important - for proper operation of Auditing + do not delete or rename the resource group or the storage accounts.\",\"strongType\":\"existingResourceGroups\"}}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Sql/servers\"},\"then\":{\"effect\":\"DeployIfNotExists\",\"details\":{\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"name\":\"Default\",\"existenceCondition\":{\"field\":\"Microsoft.Sql/auditingSettings.state\",\"equals\":\"Enabled\"},\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3\",\"/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab\"],\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"template\":{\"$schema\":\"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"serverName\":{\"type\":\"string\"},\"auditRetentionDays\":{\"type\":\"string\"},\"storageAccountsResourceGroup\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"variables\":{\"retentionDays\":\"[int(parameters('auditRetentionDays'))]\",\"subscriptionId\":\"[subscription().subscriptionId]\",\"uniqueStorage\":\"[uniqueString(variables('subscriptionId'), + parameters('location'), parameters('storageAccountsResourceGroup'))]\",\"locationCode\":\"[substring(parameters('location'), + 0, 3)]\",\"storageName\":\"[tolower(concat('sqlaudit', variables('locationCode'), + variables('uniqueStorage')))]\",\"createStorageAccountDeploymentName\":\"[concat('sqlServerAuditingStorageAccount-', + uniqueString(variables('locationCode'), parameters('serverName')))]\"},\"resources\":[{\"apiVersion\":\"2017-05-10\",\"name\":\"[variables('createStorageAccountDeploymentName')]\",\"type\":\"Microsoft.Resources/deployments\",\"resourceGroup\":\"[parameters('storageAccountsResourceGroup')]\",\"properties\":{\"mode\":\"Incremental\",\"parameters\":{\"location\":{\"value\":\"[parameters('location')]\"},\"storageName\":{\"value\":\"[variables('storageName')]\"}},\"templateLink\":{\"uri\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/samples/SQL/deploy-sql-server-auditing/createStorage.template.json\",\"contentVersion\":\"1.0.0.0\"}}},{\"name\":\"[concat(parameters('serverName'), + '/Default')]\",\"type\":\"Microsoft.Sql/servers/auditingSettings\",\"apiVersion\":\"2017-03-01-preview\",\"properties\":{\"state\":\"Enabled\",\"storageEndpoint\":\"[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountEndPoint.value]\",\"storageAccountAccessKey\":\"[reference(variables('createStorageAccountDeploymentName')).outputs.storageAccountKey.value]\",\"retentionDays\":\"[variables('retentionDays')]\",\"auditActionsAndGroups\":null,\"storageAccountSubscriptionId\":\"[subscription().subscriptionId]\",\"isStorageSecondaryKeyInUse\":false}}]},\"parameters\":{\"serverName\":{\"value\":\"[field('name')]\"},\"auditRetentionDays\":{\"value\":\"[parameters('retentionDays')]\"},\"storageAccountsResourceGroup\":{\"value\":\"[parameters('storageAccountsResourceGroup')]\"},\"location\":{\"value\":\"[field('location')]\"}}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f4c68484-132f-41f9-9b6d-3e4b1cb55036\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1469 - Power Equipment And Cabling\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1469\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f509c5b6-0de0-4a4e-9b2e-cd9cbf3a58fd\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1618 - Security Function Isolation\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1618\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f52f89aa-4489-4ec4-950e-8c96a036baa9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f52f89aa-4489-4ec4-950e-8c96a036baa9\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'Security Options + - Network Access'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'Security Options - + Network Access'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Network access: Remotely accessible registry paths\",\"description\":\"Specifies + which registry paths will be accessible over the network, regardless of the + users or groups listed in the access control list (ACL) of the `winreg` registry + key.\"},\"defaultValue\":\"System\\\\CurrentControlSet\\\\Control\\\\ProductOptions|#|System\\\\CurrentControlSet\\\\Control\\\\Server + Applications|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Network access: Remotely accessible registry paths and sub-paths\",\"description\":\"Specifies + which registry paths and sub-paths will be accessible over the network, regardless + of the users or groups listed in the access control list (ACL) of the `winreg` + registry key.\"},\"defaultValue\":\"System\\\\CurrentControlSet\\\\Control\\\\Print\\\\Printers|#|System\\\\CurrentControlSet\\\\Services\\\\Eventlog|#|Software\\\\Microsoft\\\\OLAP + Server|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print|#|Software\\\\Microsoft\\\\Windows + NT\\\\CurrentVersion\\\\Windows|#|System\\\\CurrentControlSet\\\\Control\\\\ContentIndex|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal + Server|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal Server\\\\UserConfig|#|System\\\\CurrentControlSet\\\\Control\\\\Terminal + Server\\\\DefaultUserConfiguration|#|Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Perflib|#|System\\\\CurrentControlSet\\\\Services\\\\SysmonLog\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Network access: Shares that can be accessed anonymously\",\"description\":\"Specifies + which network shares can be accessed by anonymous users. The default configuration + for this policy setting has little effect because all users have to be authenticated + before they can access shared resources on the server.\"},\"defaultValue\":\"0\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsNetworkAccess\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Network + access: Remotely accessible registry paths;ExpectedValue', '=', parameters('NetworkAccessRemotelyAccessibleRegistryPaths'), + ',', 'Network access: Remotely accessible registry paths and sub-paths;ExpectedValue', + '=', parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths'), + ',', 'Network access: Shares that can be accessed anonymously;ExpectedValue', + '=', parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SecurityOptionsNetworkAccess\"},\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"NetworkAccessRemotelyAccessibleRegistryPaths\":{\"type\":\"string\"},\"NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths\":{\"type\":\"string\"},\"NetworkAccessSharesThatCanBeAccessedAnonymously\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network + access: Remotely accessible registry paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},{\"name\":\"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},{\"name\":\"Network + access: Shares that can be accessed anonymously;ExpectedValue\",\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Network + access: Remotely accessible registry paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPaths')]\"},{\"name\":\"Network + access: Remotely accessible registry paths and sub-paths;ExpectedValue\",\"value\":\"[parameters('NetworkAccessRemotelyAccessibleRegistryPathsAndSubpaths')]\"},{\"name\":\"Network + access: Shares that can be accessed anonymously;ExpectedValue\",\"value\":\"[parameters('NetworkAccessSharesThatCanBeAccessedAnonymously')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f56a3ab2-89d1-44de-ac0d-2ada5962e22a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f56a3ab2-89d1-44de-ac0d-2ada5962e22a\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1198 - Configuration Change Control | Security Representative\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1198\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f56be5c3-660b-4c61-9078-f67cf072c356\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f56be5c3-660b-4c61-9078-f67cf072c356\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1328 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1328\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f5c66fdc-3d02-4034-9db5-ba57802609de\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f5c66fdc-3d02-4034-9db5-ba57802609de\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1193 - Configuration Change Control | Automated Document / + Notification / Prohibition Of Changes\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1193\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f5fd629f-3075-4cae-ab53-bad65495a4ac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f5fd629f-3075-4cae-ab53-bad65495a4ac\"},{\"properties\":{\"displayName\":\"Internet-facing + virtual machines should be protected with Network Security Groups\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"Protect + your VM from potential threats by restricting access to it with a Network + Security Group (NSG). To learn more about controlling traffic with NSGs, visit + https://aka.ms/nsg-doc\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Compute/virtualMachines\",\"Microsoft.ClassicCompute/virtualMachines\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"networkSecurityGroupsOnVirtualMachines\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f6de0be7-9a8a-4b8a-b349-43cf02d22f7c\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1214 - Least Functionality\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1214\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f714a4e2-b580-47b6-ae8c-f2812d3750f3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f714a4e2-b580-47b6-ae8c-f2812d3750f3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1591 - External Information System Services | Ident. Of Functions + / Ports / Protocols / Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1591\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f751cdb7-fbee-406b-969b-815d367cb9b3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f751cdb7-fbee-406b-969b-815d367cb9b3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1330 - Authenticator Management | Password-Based Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1330\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f75cedb2-5def-4b31-973e-b69e8c7bd031\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f75cedb2-5def-4b31-973e-b69e8c7bd031\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1540 - Security Categorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1540\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f771f8cb-6642-45cc-9a15-8a41cd5c6977\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f771f8cb-6642-45cc-9a15-8a41cd5c6977\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1449 - Physical Access Authorizations\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1449\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f784d3b0-5f2b-49b7-b9f3-00ba8653ced5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f784d3b0-5f2b-49b7-b9f3-00ba8653ced5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1506 - Personnel Security Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1506\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f7d2ff17-d604-4dd9-b607-9ecf63f28ad2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f7d2ff17-d604-4dd9-b607-9ecf63f28ad2\"},{\"properties\":{\"displayName\":\"Show + audit results from Windows VMs that do not have the specified Windows PowerShell + execution policy\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines where Windows PowerShell is not configured + to use the specified PowerShell execution policy. For more information on + Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"WindowsPowerShellExecutionPolicy\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8036bd0-c10b-4931-86bb-94a878add855\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8036bd0-c10b-4931-86bb-94a878add855\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1705 - Security Alerts, Advisories, And Directives\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1705\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f82e3639-fa2b-4e06-a786-932d8379b972\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f82e3639-fa2b-4e06-a786-932d8379b972\"},{\"properties\":{\"displayName\":\"External + accounts with owner permissions should be removed from your subscription\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"External + accounts with owner permissions should be removed from your subscription in + order to prevent unmonitored access.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Resources/subscriptions\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"RemoveExternalAccountsWithOwnerPermissions\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8456c1c-aa66-4dfb-861a-25d127b775c9\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8456c1c-aa66-4dfb-861a-25d127b775c9\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1345 - Cryptographic Module Authentication\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1345\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f86aa129-7c07-4aa4-bbf5-792d93ffd9ea\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f86aa129-7c07-4aa4-bbf5-792d93ffd9ea\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1065 - Remote Access | Privileged Commands / Access\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1065\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f87b8085-dca9-4cf1-8f7b-9822b997797c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f87b8085-dca9-4cf1-8f7b-9822b997797c\"},{\"properties\":{\"displayName\":\"[Preview]: + Deploy prerequisites to audit Windows VMs configurations in 'System Audit + Policies - System'\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a Guest Configuration assignment to audit Windows virtual machines + with non-compliant settings in Group Policy category: 'System Audit Policies + - System'. It also creates a system-assigned managed identity and deploys + the VM extension for Guest Configuration. This policy should only be used + along with its corresponding audit policy in an initiative. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"],\"preview\":true},\"parameters\":{\"AuditOtherSystemEvents\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Audit Other System Events\",\"description\":\"Specifies whether audit events + are generated for Windows Firewall Service and Windows Firewall driver start + and stop events, failure events for these services and Windows Firewall Service + policy processing failures.\"},\"allowedValues\":[\"No Auditing\",\"Success\",\"Failure\",\"Success + and Failure\"],\"defaultValue\":\"No Auditing\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SystemAuditPoliciesSystem\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/parameterHash\",\"equals\":\"[base64(concat('Audit + Other System Events;ExpectedValue', '=', parameters('AuditOtherSystemEvents')))]\"},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"},\"type\":{\"value\":\"[field('type')]\"},\"configurationName\":{\"value\":\"AzureBaseline_SystemAuditPoliciesSystem\"},\"AuditOtherSystemEvents\":{\"value\":\"[parameters('AuditOtherSystemEvents')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"},\"type\":{\"type\":\"string\"},\"configurationName\":{\"type\":\"string\"},\"AuditOtherSystemEvents\":{\"type\":\"string\"}},\"resources\":[{\"condition\":\"[equals(toLower(parameters('type')), + toLower('microsoft.hybridcompute/machines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.HybridCompute/machines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Other System Events;ExpectedValue\",\"value\":\"[parameters('AuditOtherSystemEvents')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2018-11-20\",\"type\":\"Microsoft.Compute/virtualMachines/providers/guestConfigurationAssignments\",\"name\":\"[concat(parameters('vmName'), + '/Microsoft.GuestConfiguration/', parameters('configurationName'))]\",\"location\":\"[parameters('location')]\",\"properties\":{\"guestConfiguration\":{\"name\":\"[parameters('configurationName')]\",\"version\":\"1.*\",\"configurationParameter\":[{\"name\":\"Audit + Other System Events;ExpectedValue\",\"value\":\"[parameters('AuditOtherSystemEvents')]\"}]}}},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"condition\":\"[equals(toLower(parameters('type')), + toLower('Microsoft.Compute/virtualMachines'))]\",\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforWindows')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforWindows\",\"typeHandlerVersion\":\"1.1\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}},\"dependsOn\":[\"[concat('Microsoft.Compute/virtualMachines/',parameters('vmName'),'/providers/Microsoft.GuestConfiguration/guestConfigurationAssignments/',parameters('configurationName'))]\"]}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8b0158d-4766-490f-bea0-259e52dba473\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8b0158d-4766-490f-bea0-259e52dba473\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Service Bus should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Service + Bus\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ServiceBus/namespaces\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f8d36e2f-389b-4ee4-898d-21aeb69a0f45\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1203 - Access Restrictions For Change | Automated Access Enforcement + / Auditing\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1203\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9012d14-e3e6-4d7b-b926-9f37b5537066\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9012d14-e3e6-4d7b-b926-9f37b5537066\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1697 - Information System Monitoring | Analyze Traffic / Covert + Exfiltration\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1697\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9873db2-18ad-46b3-a11a-1a1f8cbf0335\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9873db2-18ad-46b3-a11a-1a1f8cbf0335\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1478 - Fire Protection | Suppression Devices / Systems\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Physical and Environmental Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1478\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f997df46-cfbb-4cc8-aac8-3fecdaf6a183\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f997df46-cfbb-4cc8-aac8-3fecdaf6a183\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1535 - Personnel Sanctions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Personnel Security control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1535\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9a165d2-967d-4733-8399-1074270dae2e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9a165d2-967d-4733-8399-1074270dae2e\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1108 - Content Of Audit Records | Additional Audit Information\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1108\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9ad559e-c12d-415e-9a78-e50fdd7da7ba\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9ad559e-c12d-415e-9a78-e50fdd7da7ba\"},{\"properties\":{\"displayName\":\"Diagnostic + logs in Azure Stream Analytics should be enabled\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Audit + enabling of diagnostic logs. This enables you to recreate activity trails + to use for investigation purposes; when a security incident occurs or when + your network is compromised\",\"metadata\":{\"version\":\"2.0.0\",\"category\":\"Stream + Analytics\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"},\"requiredRetentionDays\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Required + retention (days)\",\"description\":\"The required diagnostic logs retention + in days\"},\"defaultValue\":\"365\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.StreamAnalytics/streamingJobs\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Insights/diagnosticSettings\",\"existenceCondition\":{\"count\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*]\",\"where\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"},{\"anyOf\":[{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"0\"},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days\",\"equals\":\"[parameters('requiredRetentionDays')]\"}]},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]},{\"allOf\":[{\"not\":{\"field\":\"Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled\",\"equals\":\"true\"}},{\"field\":\"Microsoft.Insights/diagnosticSettings/logs.enabled\",\"equals\":\"true\"}]}]}},\"greaterOrEquals\":1}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9be5368-9bf5-4b84-9e0a-7850da98bb46\"},{\"properties\":{\"displayName\":\"Latest + TLS version should be used in your Function App\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade + to the latest TLS version\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"App + Service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Web/sites\"},{\"field\":\"kind\",\"like\":\"functionapp*\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Web/sites/config\",\"name\":\"web\",\"existenceCondition\":{\"field\":\"Microsoft.Web/sites/config/minTlsVersion\",\"equals\":\"1.2\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f9d614c5-c173-4d56-95a7-b4437057d193\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1280 - Telecommunications Services | Priority Of Service Provisions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Contingency Planning control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1280\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa108498-b3a8-4ffb-9e79-1107e76afad3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa108498-b3a8-4ffb-9e79-1107e76afad3\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1037 - Least Privilege | Network Access To Privileged Commands\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1037\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa4c2a3d-1294-41a3-9ada-0e540471e9fb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa4c2a3d-1294-41a3-9ada-0e540471e9fb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1435 - Media Transport\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Media Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1435\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fa8d221b-d130-4637-ba16-501e666628bb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fa8d221b-d130-4637-ba16-501e666628bb\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1675 - Flaw Remediation | Time To Remediate Flaws / Benchmarks + For Corrective Actions\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1675\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/facb66e0-1c48-478a-bed5-747a312323e1\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"facb66e0-1c48-478a-bed5-747a312323e1\"},{\"properties\":{\"displayName\":\"Deploy + prerequisites to enable Guest Configuration Policy on Linux VMs.\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"This + policy creates a system-assigned managed identity and deploys the VM extension + for Guest Configuration on Linux VMs. This is a prerequisites for Guest Configuration + Policy and must be assigned to the scope before using any Guest Configuration + policy. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol.\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest + Configuration\",\"requiredProviders\":[\"Microsoft.GuestConfiguration\"]},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},\"then\":{\"effect\":\"deployIfNotExists\",\"details\":{\"roleDefinitionIds\":[\"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"],\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"name\":\"AzurePolicyforLinux\",\"existenceCondition\":{\"allOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/extensions/publisher\",\"equals\":\"Microsoft.GuestConfiguration\"},{\"field\":\"Microsoft.Compute/virtualMachines/extensions/type\",\"equals\":\"ConfigurationforLinux\"}]},\"deployment\":{\"properties\":{\"mode\":\"incremental\",\"parameters\":{\"vmName\":{\"value\":\"[field('name')]\"},\"location\":{\"value\":\"[field('location')]\"}},\"template\":{\"$schema\":\"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{\"vmName\":{\"type\":\"string\"},\"location\":{\"type\":\"string\"}},\"resources\":[{\"apiVersion\":\"2017-03-30\",\"type\":\"Microsoft.Compute/virtualMachines\",\"identity\":{\"type\":\"SystemAssigned\"},\"name\":\"[parameters('vmName')]\",\"location\":\"[parameters('location')]\"},{\"apiVersion\":\"2015-05-01-preview\",\"name\":\"[concat(parameters('vmName'), + '/AzurePolicyforLinux')]\",\"type\":\"Microsoft.Compute/virtualMachines/extensions\",\"location\":\"[parameters('location')]\",\"properties\":{\"publisher\":\"Microsoft.GuestConfiguration\",\"type\":\"ConfigurationforLinux\",\"typeHandlerVersion\":\"1.0\",\"autoUpgradeMinorVersion\":true,\"settings\":{},\"protectedSettings\":{}}}]}}}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb27e9e0-526e-4ae1-89f2-a2a0bf0f8a50\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1086 - Publicly Accessible Content\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1086\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb321e6f-16a0-4be3-878f-500956e309c5\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb321e6f-16a0-4be3-878f-500956e309c5\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1222 - Information System Component Inventory\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Configuration Management control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1222\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb39e62f-6bda-4558-8088-ec03d5670914\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb39e62f-6bda-4558-8088-ec03d5670914\"},{\"properties\":{\"displayName\":\"[Preview]: + Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Upgrade + your Kubernetes service cluster to a later Kubernetes version to protect against + known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 + has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Security + Center\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"Audit\",\"Disabled\"],\"defaultValue\":\"Audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},{\"anyOf\":[{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.13.4\",\"1.13.3\",\"1.13.2\",\"1.13.1\",\"1.13.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.12.6\",\"1.12.5\",\"1.12.4\",\"1.12.3\",\"1.12.2\",\"1.12.1\",\"1.12.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"in\":[\"1.11.8\",\"1.11.7\",\"1.11.6\",\"1.11.5\",\"1.11.4\",\"1.11.3\",\"1.11.2\",\"1.11.1\",\"1.11.0\"]},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.10.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.9.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.8.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.7.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.6.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.5.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.4.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.3.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.2.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.1.*\"},{\"field\":\"Microsoft.ContainerService/managedClusters/kubernetesVersion\",\"like\":\"1.0.*\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fb893a29-21bb-418c-a157-e99480ec364c\"},{\"properties\":{\"displayName\":\"Storage + account containing the container with activity logs must be encrypted with + BYOK\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy audits if the Storage account containing the container with activity + logs is encrypted with BYOK. The policy works only if the storage account + lies on the same subscription as activity logs by design. More information + on Azure Storage encryption at rest can be found here https://aka.ms/azurestoragebyok. + \",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Monitoring\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Insights/logProfiles\"},{\"field\":\"Microsoft.Insights/logProfiles/storageAccountId\",\"exists\":\"true\"}]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Storage/storageAccounts\",\"existenceScope\":\"subscription\",\"existenceCondition\":{\"allOf\":[{\"value\":\"[contains(field('Microsoft.Insights/logProfiles/storageAccountId'), + subscription().Id)]\",\"equals\":\"true\"},{\"field\":\"name\",\"equals\":\"[last(split(field('Microsoft.Insights/logProfiles/storageAccountId'),'/'))]\"},{\"field\":\"Microsoft.Storage/storageAccounts/encryption.keySource\",\"equals\":\"Microsoft.Keyvault\"}]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fbb99e8e-e444-4da0-9ff1-75c92f5a85b2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fbb99e8e-e444-4da0-9ff1-75c92f5a85b2\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1075 - Access Control For Mobile Devices | Full Device / Container-Based + \ Encryption\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Access Control control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1075\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fc933d22-04df-48ed-8f87-22a3773d4309\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fc933d22-04df-48ed-8f87-22a3773d4309\"},{\"properties\":{\"displayName\":\"[Preview]: + Show audit results from Windows VMs configurations in 'Security Options - + Microsoft Network Client'\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Windows virtual machines with non-compliant settings in Group Policy + category: 'Security Options - Microsoft Network Client'. For more information + on Guest Configuration policies, please visit https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Guest + Configuration\",\"preview\":true},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"esri\",\"incredibuild\",\"MicrosoftDynamicsAX\",\"MicrosoftSharepoint\",\"MicrosoftVisualStudio\",\"MicrosoftWindowsDesktop\",\"MicrosoftWindowsServerHPCPack\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftWindowsServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"MicrosoftSQLServer\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"dsvm-windows\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"standard-data-science-vm\",\"windows-data-science-vm\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"batch\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"rendering-windows2016\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"center-for-internet-security-inc\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"cis-windows-server-201*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"pivotal\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"bosh-windows-server*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloud-infrastructure-services\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"ad*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Windows*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"exists\":\"false\"},{\"allOf\":[{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"2008*\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"notLike\":\"SQL2008*\"}]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"windows*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"AzureBaseline_SecurityOptionsMicrosoftNetworkClient\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fcbc55c9-f25a-4e55-a6cb-33acb3be778b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fcbc55c9-f25a-4e55-a6cb-33acb3be778b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1318 - Authenticator Management\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1318\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fced5fda-3bdb-4d73-bfea-0e2c80428b66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fced5fda-3bdb-4d73-bfea-0e2c80428b66\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1543 - Risk Assessment\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Risk Assessment control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1543\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd00b778-b5b5-49c0-a994-734ea7bd3624\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd00b778-b5b5-49c0-a994-734ea7bd3624\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1707 - Security Alerts, Advisories, And Directives | Automated + Alerts And Advisories\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Information Integrity control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1707\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd4a2ac8-868a-4702-a345-6c896c3361ce\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd4a2ac8-868a-4702-a345-6c896c3361ce\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1299 - Identification And Authentication Policy And Procedures\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Identification and Authentication control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1299\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd4e54f7-9ab0-4bae-b6cc-457809948a89\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd4e54f7-9ab0-4bae-b6cc-457809948a89\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1627 - Boundary Protection | External Telecommunications Services\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Communications Protection control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1627\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd73310d-76fc-422d-bda4-3a077149f179\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd73310d-76fc-422d-bda4-3a077149f179\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1130 - Time Stamps | Synchronization With Authoritative Time + Source\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Audit and Accountability control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1130\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fd7c4c1d-51ee-4349-9dab-89a7f8c8d102\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fd7c4c1d-51ee-4349-9dab-89a7f8c8d102\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1611 - Developer-Provided Training\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1611\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fdda8a0c-ac32-43f6-b2f4-7dc1df03f43f\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1405 - Maintenance Tools | Inspect Tools\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1405\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fe1a0bf3-409a-4b00-b60d-0b1f917f7e7b\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1613 - Developer Security Architecture And Design\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this System and Services Acquisition control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1613\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fe2ad78b-8748-4bff-a924-f74dfca93f30\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fe2ad78b-8748-4bff-a924-f74dfca93f30\"},{\"properties\":{\"displayName\":\"Show + audit results from Linux VMs that do not have the specified applications installed\",\"policyType\":\"BuiltIn\",\"mode\":\"All\",\"description\":\"This + policy should only be used along with its corresponding deploy policy in an + initiative. This definition allows Azure Policy to process the results of + auditing Linux virtual machines that do not have the specified applications + installed. For more information on Guest Configuration policies, please visit + https://aka.ms/gcpol\",\"metadata\":{\"version\":\"1.1.0\",\"category\":\"Guest + Configuration\"},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Compute/virtualMachines\"},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"in\":[\"microsoft-aks\",\"AzureDatabricks\",\"qubole-inc\",\"datastax\",\"couchbase\",\"scalegrid\",\"checkpoint\",\"paloaltonetworks\"]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"OpenLogic\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"CentOS*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"RHEL\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"RedHat\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"osa\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"credativ\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"Debian\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"7*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Suse\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"SLES*\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"11*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"Canonical\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"UbuntuServer\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"12*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-dsvm\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"in\":[\"linux-data-science-vm-ubuntu\",\"azureml\"]}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-centos-os\"},{\"field\":\"Microsoft.Compute/imageSKU\",\"notLike\":\"6*\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"cloudera\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"equals\":\"cloudera-altus-centos-os\"}]},{\"allOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"equals\":\"microsoft-ads\"},{\"field\":\"Microsoft.Compute/imageOffer\",\"like\":\"linux*\"}]},{\"allOf\":[{\"anyOf\":[{\"field\":\"Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration\",\"exists\":\"true\"},{\"field\":\"Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType\",\"like\":\"Linux*\"}]},{\"anyOf\":[{\"field\":\"Microsoft.Compute/imagePublisher\",\"exists\":\"false\"},{\"field\":\"Microsoft.Compute/imagePublisher\",\"notIn\":[\"OpenLogic\",\"RedHat\",\"credativ\",\"Suse\",\"Canonical\",\"microsoft-dsvm\",\"cloudera\",\"microsoft-ads\"]}]}]}]}]},{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.HybridCompute/machines\"},{\"field\":\"Microsoft.HybridCompute/imageOffer\",\"like\":\"linux*\"}]}]},\"then\":{\"effect\":\"auditIfNotExists\",\"details\":{\"type\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments\",\"name\":\"installed_application_linux\",\"existenceCondition\":{\"field\":\"Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus\",\"equals\":\"Compliant\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fee5cb2b-9d9b-410e-afe3-2902d90d0004\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fee5cb2b-9d9b-410e-afe3-2902d90d0004\"},{\"properties\":{\"displayName\":\"Vulnerabilities + on your SQL databases should be remediated\",\"policyType\":\"BuiltIn\",\"mode\":\"Indexed\",\"description\":\"Monitor + Vulnerability Assessment scan results and recommendations for how to remediate + database vulnerabilities.\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Security + Center\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"AuditIfNotExists\",\"Disabled\"],\"defaultValue\":\"AuditIfNotExists\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"Microsoft.Sql/servers/databases\",\"Microsoft.Sql/managedinstances/databases\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"type\":\"Microsoft.Security/complianceResults\",\"name\":\"sqlVulnerabilityAssessment\",\"existenceCondition\":{\"field\":\"Microsoft.Security/complianceResults/resourceStatus\",\"in\":[\"OffByPolicy\",\"Healthy\"]}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"feedbf84-6b99-488c-acc2-71c829aa5ffc\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1407 - Maintenance Tools | Prevent Unauthorized Removal\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Maintenance control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1407\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/ff9fbd83-1d8d-4b41-aac2-94cb44b33976\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"ff9fbd83-1d8d-4b41-aac2-94cb44b33976\"},{\"properties\":{\"displayName\":\"Microsoft + Managed Control 1158 - Security Authorization\",\"policyType\":\"Static\",\"mode\":\"Indexed\",\"description\":\"Microsoft + implements this Security Assessment and Authorization control\",\"metadata\":{\"version\":\"1.0.0\",\"category\":\"Regulatory + Compliance\",\"additionalMetadataId\":\"/providers/Microsoft.PolicyInsights/policyMetadata/ACF1158\"},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"in\":[\"Microsoft.Resources/subscriptions\",\"Microsoft.Resources/subscriptions/resourceGroups\"]},{\"value\":\"false\",\"equals\":\"true\"}]},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/fff50cf2-28eb-45b4-b378-c99412688907\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"fff50cf2-28eb-45b4-b378-c99412688907\"},{\"properties\":{\"displayName\":\"[Preview]: + Manage certificate validity period\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + policy manages the maximum validity period for certificates in months.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key + Vault\",\"preview\":true},\"parameters\":{\"maximumValidityInMonths\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: + The maximum validity in months\",\"description\":\"The limit to how long a + certificate may be valid for. Certificates with lengthy validity periods aren't + best practice.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/properties.validityInMonths\",\"greater\":\"[parameters('maximumValidityInMonths')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0a075868-4c26-42ef-914c-5bc007359560\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Ensure containers listen only on allowed ports in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy enforces containers to listen only on allowed ports in an Azure Kubernetes + Service cluster. Limited Preview policies only work for registered subscriptions. + To register, please go to https://aka.ms/akspolicyonboarding. For instruction + on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"allowedContainerPortsRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed + container ports regex\",\"description\":\"Regex representing container ports + allowed in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerAllowedPorts\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-ports/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedContainerPortsRegex\":\"[parameters('allowedContainerPortsRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/0f636243-1b1c-4d50-880f-310f6199f2cb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"0f636243-1b1c-4d50-880f-310f6199f2cb\"},{\"properties\":{\"displayName\":\"[Preview]: + Manage allowed certificate key types\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + policy manages the allowed key types for certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key + Vault\",\"preview\":true},\"parameters\":{\"allowedKeyTypes\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Allowed key types\",\"description\":\"The list of allowed certificate key + types.\"},\"allowedValues\":[\"RSA\",\"RSA-HSM\",\"EC\",\"EC-HSM\"],\"defaultValue\":[\"RSA\",\"RSA-HSM\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"notIn\":\"[parameters('allowedKeyTypes')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1151cede-290b-4ba0-8b38-0ad145ac888f\"},{\"properties\":{\"displayName\":\"[Preview]: + Manage certificate lifetime action triggers\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + policy manages the configuration for certificate lifetime action triggers + before certificate expiration.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key + Vault\",\"preview\":true},\"parameters\":{\"maximumPercentageLife\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: + The maximum lifetime percentage\",\"description\":\"Enter the percentage of + lifetime of the certificate when you want to trigger the policy action. For + example, to trigger a policy action at 80% of the certificate's valid life, + enter '80'.\"}},\"minimumDaysBeforeExpiry\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: + The minimum days before expiry\",\"description\":\"Enter the days before expiration + of the certificate when you want to trigger the policy action. For example, + to trigger a policy action 90 days before the certificate's expiration, enter + '90'.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"anyOf\":[{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry\",\"exists\":\"True\"},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.daysBeforeExpiry\",\"less\":\"[parameters('minimumDaysBeforeExpiry')]\"}]},{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage\",\"exists\":\"True\"},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/lifetimeAction.lifetimePercentage\",\"greater\":\"[parameters('maximumPercentageLife')]\"}]}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"12ef42cb-9903-4e39-9c26-422d29570417\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Enforce labels on pods in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy enforces the specified labels are provided for pods in an Azure Kubernetes + Service cluster. Limited Preview policies only work for registered subscriptions. + To register, please go to https://aka.ms/akspolicyonboarding. For instruction + on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"commaSeparatedListOfLabels\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Comma-separated + list of labels\",\"description\":\"A comma-separated list of labels to be + specified on Pods in Kubernetes cluster. E.g. test1,test2\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"PodEnforceLabels\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/pod-enforce-labels/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"commaSeparatedListOfLabels\":\"[parameters('commaSeparatedListOfLabels')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/16c6ca72-89d2-4798-b87e-496f9de7fcb7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"16c6ca72-89d2-4798-b87e-496f9de7fcb7\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Enforce HTTPS ingress in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy enforces HTTPS ingress in a Kubernetes cluster. For instructions on + using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-https-only/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Ensure services listen only on allowed ports in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy enforces services to listen only on allowed ports in a Kubernetes cluster. + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"allowedServicePortsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Allowed service ports list\",\"description\":\"The list of service ports allowed + in a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/service-allowed-ports/constraint.yaml\",\"values\":{\"allowedServicePorts\":\"[parameters('allowedServicePortsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/233a2a17-77ca-4fb1-9b6b-69223d272a44\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"233a2a17-77ca-4fb1-9b6b-69223d272a44\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Ensure services listen only on allowed ports in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy enforces services to listen only on allowed ports in an Azure Kubernetes + Service cluster. Limited Preview policies only work for registered subscriptions. + To register, please go to https://aka.ms/akspolicyonboarding. For instruction + on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"allowedServicePortsRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed + service ports regex\",\"description\":\"Regex representing service ports allowed + in Kubernetes cluster. E.g. Regex for allowing ports 443,446 is ^(443|446)$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ServiceAllowedPorts\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/service-allowed-ports/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedServicePortsRegex\":\"[parameters('allowedServicePortsRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/25dee3db-6ce0-4c02-ab5d-245887b24077\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"25dee3db-6ce0-4c02-ab5d-245887b24077\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Enforce HTTPS ingress in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy enforces HTTPS ingress in an Azure Kubernetes Service cluster. Limited + Preview policies only work for registered subscriptions. To register, please + go to https://aka.ms/akspolicyonboarding. For instruction on using this policy, + please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"HttpsIngressOnly\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-https-only/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/2fbff515-eecc-4b7e-9b63-fcc7138b7dc3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"2fbff515-eecc-4b7e-9b63-fcc7138b7dc3\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Enforce internal load balancers in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy enforces load balancers do not have public IPs in a Kubernetes cluster. + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/load-balancer-no-public-ips/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Ensure containers listen only on allowed ports in Kubernetes + cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy enforces containers to listen only on allowed ports in a Kubernetes + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"allowedContainerPortsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Allowed container ports list\",\"description\":\"The list of container ports + allowed in a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-ports/constraint.yaml\",\"values\":{\"allowedContainerPorts\":\"[parameters('allowedContainerPortsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/440b515e-a580-421e-abeb-b159a61ddcbc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"440b515e-a580-421e-abeb-b159a61ddcbc\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Enforce labels on pods in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy enforces the specified labels are provided for pods in a Kubernetes + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"labelsList\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + List of labels\",\"description\":\"The list of labels to be specified on Pods + in a Kubernetes cluster.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/pod-enforce-labels/constraint.yaml\",\"values\":{\"labels\":\"[parameters('labelsList')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/46592696-4c7b-4bf3-9e45-6c2763bdc0a6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"46592696-4c7b-4bf3-9e45-6c2763bdc0a6\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Ensure only allowed container images in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy ensures only allowed container images are running in an Azure Kubernetes + Service cluster. Limited Preview policies only work for registered subscriptions. + To register, please go to https://aka.ms/akspolicyonboarding. For instruction + on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"allowedContainerImagesRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Allowed + container images regex\",\"description\":\"Regex representing container images + allowed in Kubernetes cluster. E.g. Regex of azure container registry images + is ^.+azurecr.io/.+$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerAllowedImages\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-allowed-images/limited-preview/gatekeeperpolicy.rego\",\"policyParameters\":{\"allowedContainerImagesRegex\":\"[parameters('allowedContainerImagesRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/5f86cb6e-c4da-441b-807c-44bd0cc14e66\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"5f86cb6e-c4da-441b-807c-44bd0cc14e66\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Do not allow privileged containers in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy does not allow privileged containers creation in an Azure Kubernetes + Service cluster. Limited Preview policies only work for registered subscriptions. + To register, please go to https://aka.ms/akspolicyonboarding. For instruction + on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerNoPrivilege\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-no-privilege/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"7ce7ac02-a5c6-45d6-8d1b-844feb1c1531\"},{\"properties\":{\"displayName\":\"[Preview]: + Manage certificates issued by an integrated CA\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + policy manages certificates are issued by a specified key vault integrated + Certificate Authority.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key + Vault\",\"preview\":true},\"parameters\":{\"allowedCAs\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Allowed Azure Key Vault Supported CAs\",\"description\":\"The list of allowed + certificate authorities supported by Azure Key Vault.\"},\"allowedValues\":[\"DigiCert\",\"GlobalSign\"],\"defaultValue\":[\"DigiCert\",\"GlobalSign\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/issuer.name\",\"notIn\":\"[parameters('allowedCAs')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8e826246-c976-48f6-b03e-619bb92b3d82\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Do not allow privileged containers in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy does not allow privileged containers creation in a Kubernetes cluster. + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-no-privilege/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"95edb821-ddaf-4404-9732-666045e056b4\"},{\"properties\":{\"displayName\":\"[Preview]: + Manage certificates issued by a non-integrated CA\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + policy manages certificates are issued by a specified non-integrated Certificate + Authority.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key + Vault\",\"preview\":true},\"parameters\":{\"caCommonName\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + The common name of the certificate authority\",\"description\":\"The common + name (CN) of the Certificate Authority (CA) provider. For example, for an + issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName\",\"notContains\":\"[parameters('caCommonName')]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a22f4a40-01d3-4c7d-8071-da157eeff341\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Ensure CPU and memory resource limits defined on containers + in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy ensures CPU and memory resource limits are defined on containers in + an Azure Kubernetes Service cluster. Limited Preview policies only work for + registered subscriptions. To register, please go to https://aka.ms/akspolicyonboarding. + For instruction on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"ContainerResourceLimits\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/container-resource-limits/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a2d3ed81-8d11-4079-80a5-1faadc0024f4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a2d3ed81-8d11-4079-80a5-1faadc0024f4\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Enforce internal load balancers in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy enforces load balancers do not have public IPs in an Azure Kubernetes + Service cluster. Limited Preview policies only work for registered subscriptions. + To register, please go to https://aka.ms/akspolicyonboarding. For instruction + on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"LoadBalancersInternal\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/loadbalancer-no-publicips/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/a74d8f00-2fd9-4ce4-968e-0ee1eb821698\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"a74d8f00-2fd9-4ce4-968e-0ee1eb821698\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Enforce unique ingress hostnames across namespaces in Kubernetes + cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy enforces unique ingress hostnames across namespaces in a Kubernetes + cluster. For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/ingress-hostnames-conflict/constraint.yaml\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/b2fd3e59-6390-4f2b-8247-ea676bd03e2d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"b2fd3e59-6390-4f2b-8247-ea676bd03e2d\"},{\"properties\":{\"displayName\":\"[Preview]: + Manage allowed curve names for elliptic curve cryptography certificates\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + policy manages the allowed elliptic curve names for elliptic curve cryptography + certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key + Vault\",\"preview\":true},\"parameters\":{\"allowedECNames\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"[Preview]: + Allowed elliptic curve names\",\"description\":\"The list of allowed curve + names for elliptic curve cryptography certificates.\"},\"allowedValues\":[\"P-256\",\"P-256K\",\"P-384\",\"P-521\"],\"defaultValue\":[\"P-256\",\"P-256K\",\"P-384\",\"P-521\"]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"in\":[\"EC\",\"EC-HSM\"]},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.ellipticCurveName\",\"notIn\":\"[parameters('allowedECNames')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"bd78111f-4953-4367-9fd5-7e08808b54bf\"},{\"properties\":{\"displayName\":\"[Preview]: + Manage minimum key size for RSA certificates\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + policy manages the minimum key size for RSA certificates.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key + Vault\",\"preview\":true},\"parameters\":{\"minimumRSAKeySize\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: + Minimum RSA key size\",\"description\":\"The minimum key size for RSA certificates.\"},\"allowedValues\":[2048,3072,4096]},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keyType\",\"in\":[\"RSA\",\"RSA-HSM\"]},{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/keyProperties.keySize\",\"less\":\"[parameters('minimumRSAKeySize')]\"}]},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"cee51871-e572-4576-855c-047c820360f0\"},{\"properties\":{\"displayName\":\"[Limited + Preview]: [AKS] Enforce unique ingress hostnames across namespaces in AKS\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.ContainerService.Data\",\"description\":\"This + policy enforces unique ingress hostnames across namespaces in an Azure Kubernetes + Service cluster. Limited Preview policies only work for registered subscriptions. + To register, please go to https://aka.ms/akspolicyonboarding. For instruction + on using this policy, please go to https://aka.ms/akspolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes + service\"},\"parameters\":{\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"Effect\",\"description\":\"Enable + or disable the execution of the policy\"},\"allowedValues\":[\"EnforceRegoPolicy\",\"Disabled\"],\"defaultValue\":\"EnforceRegoPolicy\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.ContainerService/managedClusters\"},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"policyId\":\"UniqueIngressHostnames\",\"policy\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/KubernetesService/ingress-hostnames-conflict/limited-preview/gatekeeperpolicy.rego\"}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/d011d9f7-ba32-4005-b727-b3d09371ca60\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"d011d9f7-ba32-4005-b727-b3d09371ca60\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Ensure container CPU and memory resource limits do not exceed + the specified limits in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy ensures container CPU and memory resource limits are defined and do + not exceed the specified limits in a Kubernetes cluster. For instructions + on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"cpuLimit\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Max allowed CPU units\",\"description\":\"The maximum CPU units allowed for + a container. E.g. 200m. For more information, please refer https://aka.ms/k8s-policy-pod-limits\"}},\"memoryLimit\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Max allowed memory bytes\",\"description\":\"The maximum memory bytes allowed + for a container. E.g. 1Gi. For more information, please refer https://aka.ms/k8s-policy-pod-limits\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-resource-limits/constraint.yaml\",\"values\":{\"cpuLimit\":\"[parameters('cpuLimit')]\",\"memoryLimit\":\"[parameters('memoryLimit')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/e345eecc-fa47-480f-9e88-67dcc122b164\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"e345eecc-fa47-480f-9e88-67dcc122b164\"},{\"properties\":{\"displayName\":\"[Preview]: + Manage certificates that are within a specified number of days of expiration\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.KeyVault.Data\",\"description\":\"This + policy manages certificates that are within a specified number of days to + their expiration date.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Key + Vault\",\"preview\":true},\"parameters\":{\"daysToExpire\":{\"type\":\"Integer\",\"metadata\":{\"displayName\":\"[Preview]: + Days to expire\",\"description\":\"The number of days for a certificate to + expire.\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"audit\",\"deny\",\"disabled\"],\"defaultValue\":\"audit\"}},\"policyRule\":{\"if\":{\"field\":\"Microsoft.KeyVault.Data/vaults/certificates/attributes.expiresOn\",\"lessOrEquals\":\"[addDays(utcNow(), + parameters('daysToExpire'))]\"},\"then\":{\"effect\":\"[parameters('effect')]\"}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"f772fb64-8e40-40ad-87bc-7706e1949427\"},{\"properties\":{\"displayName\":\"[Preview]: + [AKS Engine] Ensure only allowed container images in Kubernetes cluster\",\"policyType\":\"BuiltIn\",\"mode\":\"Microsoft.Kubernetes.Data\",\"description\":\"This + policy ensures only allowed container images are running in a Kubernetes cluster. + For instructions on using this policy, please go to https://aka.ms/kubepolicydoc.\",\"metadata\":{\"version\":\"1.0.0-preview\",\"category\":\"Kubernetes\",\"preview\":true},\"parameters\":{\"allowedContainerImagesRegex\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Allowed container images regex\",\"description\":\"Regex representing container + images allowed in a Kubernetes cluster. E.g. Regex for azure container registry + images is ^.+azurecr.io/.+$\"}},\"effect\":{\"type\":\"String\",\"metadata\":{\"displayName\":\"[Preview]: + Effect\",\"description\":\"Enable or disable the execution of the policy\"},\"allowedValues\":[\"enforceOPAConstraint\",\"disabled\"],\"defaultValue\":\"enforceOPAConstraint\"}},\"policyRule\":{\"if\":{\"field\":\"type\",\"in\":[\"AKS + Engine\"]},\"then\":{\"effect\":\"[parameters('effect')]\",\"details\":{\"constraintTemplate\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/template.yaml\",\"constraint\":\"https://raw.githubusercontent.com/Azure/azure-policy/master/built-in-references/Kubernetes/container-allowed-images/constraint.yaml\",\"values\":{\"allowedContainerImagesRegex\":\"[parameters('allowedContainerImagesRegex')]\"}}}}},\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/febd0533-8e55-448f-b837-bd0e06f16469\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"febd0533-8e55-448f-b837-bd0e06f16469\"},{\"properties\":{\"displayName\":\"zhoxing-test\",\"policyType\":\"Custom\",\"mode\":\"All\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-25T09:41:45.9065425Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of allowed locations for resources.\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/04a22d7e-273d-45f2-8a10-02070dbcefca\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"04a22d7e-273d-45f2-8a10-02070dbcefca\"},{\"properties\":{\"displayName\":\"Audit + virtual machines without disaster recovery configured\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"test\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-25T03:21:49.7174918Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of allowed locations for resources.\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/1c510c21-8404-40b2-a351-73e881e707dc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"1c510c21-8404-40b2-a351-73e881e707dc\"},{\"properties\":{\"displayName\":\"zhoxing-test2\",\"policyType\":\"Custom\",\"mode\":\"All\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-25T09:43:19.028796Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of allowed locations for resources.\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/271c056f-5f7d-4b04-9c2e-b5e8fc73477b\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"271c056f-5f7d-4b04-9c2e-b5e8fc73477b\"},{\"properties\":{\"displayName\":\"zhoxing_test_new_policy_test_length_exceed_name\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"\u6D4B\u8BD5\u4E00\u4E0B\u540D\u5B57\u8D85\u957F\u7684\u7B56\u7565\u54E6\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-25T03:14:59.2983062Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of allowed locations for resources.\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/8720f898-d316-4608-b43d-203ce23c2a8d\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"8720f898-d316-4608-b43d-203ce23c2a8d\"},{\"properties\":{\"displayName\":\"test_policy6iqdav32l\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:20:01.1577308Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy4zz266ek6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy4zz266ek6\"},{\"properties\":{\"displayName\":\"test_policybsix632z6\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T03:24:37.437303Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy57hfk7oid\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy57hfk7oid\"},{\"properties\":{\"displayName\":\"test_policy3ulbefgq5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy5rxcsbgyu\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy5rxcsbgyu\"},{\"properties\":{\"displayName\":\"test_policy66vwzao4g\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:12:26.4310804Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy63bzujayf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy63bzujayf\"},{\"properties\":{\"displayName\":\"test_policyvrud2j572\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6rmvrx2ug\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy6rmvrx2ug\"},{\"properties\":{\"displayName\":\"test_policyqr33lcjpy\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:02:21.3055647Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy6vduv5kcq\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy6vduv5kcq\"},{\"properties\":{\"displayName\":\"test_policyeezgnn3tf\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy72fpbk6om\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy72fpbk6om\"},{\"properties\":{\"displayName\":\"test_policylzld56g3c\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy75lhjp2qz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy75lhjp2qz\"},{\"properties\":{\"displayName\":\"test_policyac3dg2mjn\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T09:20:41.768722Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policy7nfzu5aac\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policy7nfzu5aac\"},{\"properties\":{\"displayName\":\"test_policy4leaozaze\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyafjaspbln\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyafjaspbln\"},{\"properties\":{\"displayName\":\"test_policytz5xijuco\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"displayName\":\"Allowed + locations\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"in\":\"[parameters('allowedLocations')]\",\"field\":\"location\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyaip6dvuui\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyaip6dvuui\"},{\"properties\":{\"displayName\":\"test_policy7f4jaqite\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-26T03:12:15.3049726Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of locations that can be specified + when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyakuce4o7r\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyakuce4o7r\"},{\"properties\":{\"displayName\":\"test_policyk2ipvteje\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policycc24wg2ai\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policycc24wg2ai\"},{\"properties\":{\"displayName\":\"test_policy3fqevgg5o\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-26T07:30:30.8196821Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of locations that can be specified + when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyda63cvhit\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyda63cvhit\"},{\"properties\":{\"displayName\":\"test_policytxax3vq3l\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:13:20.7569455Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyeal5hjxel\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyeal5hjxel\"},{\"properties\":{\"displayName\":\"test_policynek2j6dvx\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyebyt2or2s\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyebyt2or2s\"},{\"properties\":{\"displayName\":\"test_policyo57mbgttt\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyf4gvztvgz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyf4gvztvgz\"},{\"properties\":{\"displayName\":\"test_policyry7ktdqpn\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfneqctrjx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyfneqctrjx\"},{\"properties\":{\"displayName\":\"test_policyhproaqyb2\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T07:55:49.8973296Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyfo7wr4vix\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyfo7wr4vix\"},{\"properties\":{\"displayName\":\"test_policyfufe2htyd\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:17:08.3329915Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyftxdxfati\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyftxdxfati\"},{\"properties\":{\"displayName\":\"test_policypq5w4fcp5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhavmopeay\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyhavmopeay\"},{\"properties\":{\"displayName\":\"test_policyzhxn622hb\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyhb6kmyq63\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyhb6kmyq63\"},{\"properties\":{\"displayName\":\"test_policyzbi2xb6y7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyismcbfzwf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyismcbfzwf\"},{\"properties\":{\"displayName\":\"test_policyyulsilxiw\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyjp2hqpyxg\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyjp2hqpyxg\"},{\"properties\":{\"displayName\":\"test_policy3b7x23vtu\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:09:59.3205891Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyk7i5cvli7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyk7i5cvli7\"},{\"properties\":{\"displayName\":\"test_policykr5rg52qb\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-20T07:02:32.8430887Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyko7fuaryl\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyko7fuaryl\"},{\"properties\":{\"displayName\":\"test_policym7v6bzkep\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyl5e3igsku\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyl5e3igsku\"},{\"properties\":{\"displayName\":\"test_policyr5ivz4uoy\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policylw4dif6k4\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policylw4dif6k4\"},{\"properties\":{\"displayName\":\"test_policytbp7jr4ui\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:32:31.9256236Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyma7xpif5f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyma7xpif5f\"},{\"properties\":{\"displayName\":\"test_policyltbuxqxmj\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:01:18.5679417Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymhawrsfdj\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policymhawrsfdj\"},{\"properties\":{\"displayName\":\"test_policyjgu2d4mwc\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-25T11:29:24.0188349Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of locations that can be specified + when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymroawkgak\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policymroawkgak\"},{\"properties\":{\"displayName\":\"test_policyp2yhkolhg\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policymxx4vzibo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policymxx4vzibo\"},{\"properties\":{\"displayName\":\"test_policyt252aa3in\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyose3kehj3\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyose3kehj3\"},{\"properties\":{\"displayName\":\"test_policy7q6xzfojd\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-26T02:48:58.771927Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of locations that can be specified + when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policypm6ined27\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policypm6ined27\"},{\"properties\":{\"displayName\":\"test_policyg5g7wrd63\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqcexugiyb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyqcexugiyb\"},{\"properties\":{\"displayName\":\"test_policyrhqz2lkr7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:06:49.1738752Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyqsscwoy4k\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyqsscwoy4k\"},{\"properties\":{\"displayName\":\"test_policyfn5bvohrv\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-15T07:02:13.594025Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr45j67nyp\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyr45j67nyp\"},{\"properties\":{\"displayName\":\"test_policygciiyb5ye\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:07:22.3409618Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyr7fhjcb3r\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyr7fhjcb3r\"},{\"properties\":{\"displayName\":\"test_policy2k3hcktfx\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:18:07.741136Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrnepsjpsa\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrnepsjpsa\"},{\"properties\":{\"displayName\":\"test_policy5u5ook2zf\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrs5zxfokx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrs5zxfokx\"},{\"properties\":{\"displayName\":\"test_policyepxuvmnrs\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrtseayuym\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrtseayuym\"},{\"properties\":{\"displayName\":\"test_policyeglfwi2os\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyrzih7n7ws\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyrzih7n7ws\"},{\"properties\":{\"displayName\":\"test_policyrjb7ausww\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-26T07:06:57.89264Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policysh2ld2fbf\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policysh2ld2fbf\"},{\"properties\":{\"displayName\":\"test_policyeop2lxcb7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytaxuus2zo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytaxuus2zo\"},{\"properties\":{\"displayName\":\"test_policyx5a3znshs\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-26T09:10:23.421479Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of locations that can be specified + when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytl5ocnpv2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytl5ocnpv2\"},{\"properties\":{\"displayName\":\"test_policymichd2ukj\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policytrkoh7vio\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policytrkoh7vio\"},{\"properties\":{\"displayName\":\"test_policymhqqjyizg\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyunv6j3gfp\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyunv6j3gfp\"},{\"properties\":{\"displayName\":\"test_policyf2qzg3ba4\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"displayName\":\"Allowed + locations\",\"strongType\":\"location\"}}},\"policyRule\":{\"if\":{\"not\":{\"in\":\"[parameters('allowedLocations')]\",\"field\":\"location\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv3qavzpbx\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv3qavzpbx\"},{\"properties\":{\"displayName\":\"test_policy5koxubsg5\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv53qgvql6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv53qgvql6\"},{\"properties\":{\"displayName\":\"test_policycaxoe7agu\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T02:14:31.5587491Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyv6bc2zdey\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyv6bc2zdey\"},{\"properties\":{\"displayName\":\"test_policy65zhk56oe\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T09:12:22.7078165Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvmph7iatk\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyvmph7iatk\"},{\"properties\":{\"displayName\":\"test_policy7t2i6ysv7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyvpb2ircbl\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyvpb2ircbl\"},{\"properties\":{\"displayName\":\"test_policyc2n4hwvff\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-06T10:21:23.3432499Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policywsslcs6dz\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policywsslcs6dz\"},{\"properties\":{\"displayName\":\"test_policyn67yt2fld_new\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-06-11T06:51:10.2516Z\",\"updatedBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"updatedOn\":\"2019-06-11T06:51:13.9885473Z\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations 2\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"audit\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyx5j3fsjzb\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyx5j3fsjzb\"},{\"properties\":{\"displayName\":\"test_policyltxpwmbyi\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-26T02:44:15.0960062Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of locations that can be specified + when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyy3ipsjspu\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyy3ipsjspu\"},{\"properties\":{\"displayName\":\"test_policy574uc23jc\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2019-12-09T08:14:59.7674009Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyy7mglfglo\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyy7mglfglo\"},{\"properties\":{\"displayName\":\"test_policyao7uqj3gn\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-26T01:39:03.0784792Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of locations that can be specified + when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyyc6uhp7bs\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyyc6uhp7bs\"},{\"properties\":{\"displayName\":\"test_policyycy3trxsx\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-26T03:03:25.8356774Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"displayName\":\"Allowed + locations\",\"description\":\"The list of locations that can be specified + when deploying resources\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyym2rnjbh7\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyym2rnjbh7\"},{\"properties\":{\"displayName\":\"test_policyif4bjggk7\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123_new\",\"metadata\":{\"category\":\"test2\"},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyyuuoin4oc\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyyuuoin4oc\"},{\"properties\":{\"displayName\":\"test_policyvy7eweevk\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"desc_for_test_policy_123\",\"metadata\":{\"category\":\"test\",\"createdBy\":\"93a01e49-673a-4e15-8230-51214a737962\",\"createdOn\":\"2019-02-19T07:01:55.8648869Z\",\"updatedBy\":null,\"updatedOn\":null},\"parameters\":{\"allowedLocations\":{\"type\":\"Array\",\"metadata\":{\"description\":\"The + list of locations that can be specified when deploying resources\",\"strongType\":\"location\",\"displayName\":\"Allowed + locations\"}}},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":\"[parameters('allowedLocations')]\"}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-policyzyhzyddss\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-policyzyhzyddss\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"Deny + cool access tiering for storage\",\"metadata\":{\"createdBy\":\"89ed5be8-ff97-41b5-ab11-055e1e3cc34b\",\"createdOn\":\"2019-03-09T04:29:39.8836867Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"allOf\":[{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts\"},{\"field\":\"kind\",\"equals\":\"BlobStorage\"},{\"not\":{\"field\":\"Microsoft.Storage/storageAccounts/accessTier\",\"equals\":\"cool\"}}]},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/denyCoolTiering\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"denyCoolTiering\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"All\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:58:35.9462109Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-08T05:58:36.2899714Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1d6a287496763bd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd1d6a287496763bd\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"All\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T04:25:20.3616782Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-08T04:25:20.5689022Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd1ff115351d7d620\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd1ff115351d7d620\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:58:36.5087248Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd226f944793a0edd\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd226f944793a0edd\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T04:25:20.9593945Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pd248103959e1b89a\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pd248103959e1b89a\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:53:56.4821495Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn4b00229168b529\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdn4b00229168b529\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:12:02.5562119Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdn7d459478c62e5f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdn7d459478c62e5f\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:16:25.1651266Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdndd5095457eae7f\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdndd5095457eae7f\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:21:56.3757672Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pdnfc173081e3e1c6\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pdnfc173081e3e1c6\"},{\"properties\":{\"displayName\":\"pol-defdis-2169\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:43:22.5629692Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-2601\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-2601\"},{\"properties\":{\"displayName\":\"pol-dis-5258\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T09:57:59.3671014Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3066\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-3066\"},{\"properties\":{\"displayName\":\"pol-defdis-1797\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-08T05:59:42.1212637Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-3604\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-3604\"},{\"properties\":{\"displayName\":\"pol-defdis-8885\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:51:26.6479837Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4703\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-4703\"},{\"properties\":{\"displayName\":\"pol-defdis-5984\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:44:44.5908405Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-4803\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-4803\"},{\"properties\":{\"displayName\":\"pol-dis-2866\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T09:59:29.3473453Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-7444\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-7444\"},{\"properties\":{\"displayName\":\"pol-defdis-3052\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:50:49.8743418Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-834\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-834\"},{\"properties\":{\"displayName\":\"pol-dis-6545\",\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:01:11.8439197Z\",\"updatedBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"updatedOn\":\"2019-11-07T10:01:13.5984375Z\"},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-900\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-900\"},{\"properties\":{\"displayName\":\"pol-defdis-412\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"policy + definition description\",\"metadata\":{\"createdBy\":\"5b5e6b07-55b8-419b-a446-20fe0aa5b459\",\"createdOn\":\"2019-11-07T10:39:00.9481726Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"not\":{\"field\":\"location\",\"in\":[\"northeurope\",\"westeurope\"]}},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/pol-def-9447\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"pol-def-9447\"},{\"properties\":{\"policyType\":\"Custom\",\"mode\":\"Indexed\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-12T13:23:03.0790705Z\",\"updatedBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"updatedOn\":\"2020-02-12T13:23:32.6581852Z\"},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts/write\"},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/readOnlyStorage\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"readOnlyStorage\"},{\"properties\":{\"displayName\":\"Sumit- + NSG X on every subnet\",\"policyType\":\"Custom\",\"mode\":\"All\",\"description\":\"This + policy enforces a specific NSG on every subnet\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-01-02T03:24:40.1850198Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"field\":\"type\",\"equals\":\"Microsoft.Storage/storageAccounts/write\"},\"then\":{\"effect\":\"deny\"}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/sumit-enforce-nsg-on-subnett2\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"sumit-enforce-nsg-on-subnett2\"},{\"properties\":{\"displayName\":\"test_data_policyhdgk\",\"policyType\":\"Custom\",\"mode\":\"Microsoft.DataCatalog.Data\",\"description\":\"desc_for_test_data_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-25T11:29:26.403926Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"field\":\"Microsoft.DataCatalog.Data/catalog/entity/type\",\"equals\":\"SomeEntityType\"},\"then\":{\"effect\":\"ModifyClassifications\",\"details\":{\"classificationsToAdd\":[\"foo\"],\"classificationsToRemove\":[\"bar\"]}}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policy6jjr\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-data-policy6jjr\"},{\"properties\":{\"displayName\":\"test_data_policypcmv\",\"policyType\":\"Custom\",\"mode\":\"Microsoft.DataCatalog.Data\",\"description\":\"desc_for_test_data_policy_123\",\"metadata\":{\"createdBy\":\"9ac534f1-d577-4034-a32d-48de400dacbf\",\"createdOn\":\"2020-02-26T01:39:05.696658Z\",\"updatedBy\":null,\"updatedOn\":null},\"policyRule\":{\"if\":{\"field\":\"Microsoft.DataCatalog.Data/catalog/entity/type\",\"equals\":\"SomeEntityType\"},\"then\":{\"effect\":\"ModifyClassifications\",\"details\":{\"classificationsToAdd\":[\"foo\"],\"classificationsToRemove\":[\"bar\"]}}}},\"id\":\"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/policyDefinitions/azure-cli-test-data-policyc6ve\",\"type\":\"Microsoft.Authorization/policyDefinitions\",\"name\":\"azure-cli-test-data-policyc6ve\"}]}" + headers: + cache-control: + - no-cache + content-length: + - '1849133' + content-type: + - application/json; charset=utf-8 + date: + - Wed, 26 Feb 2020 03:33:29 GMT + expires: + - '-1' + pragma: + - no-cache + strict-transport-security: + - max-age=31536000; includeSubDomains + transfer-encoding: + - chunked + vary: + - Accept-Encoding,Accept-Encoding + x-content-type-options: + - nosniff + status: + code: 200 + message: OK +version: 1 diff --git a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/test_resource.py b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/test_resource.py index 900f2feb250..c191a1a1394 100644 --- a/src/azure-cli/azure/cli/command_modules/resource/tests/latest/test_resource.py +++ b/src/azure-cli/azure/cli/command_modules/resource/tests/latest/test_resource.py @@ -1265,6 +1265,41 @@ def test_show_built_in_policy(self): self.check('id', '{id}') ]) + # Because the policy assignment name is generated randomly and automatically, the value of each run is different, + # so it cannot be rerecord. + @ResourceGroupPreparer(name_prefix='cli_test_resource_create_policy_assignment_random') + @AllowLargeResponse(4096) + @live_only() + def test_resource_create_policy_assignment_random(self, resource_group, management_group=None, subscription=None): + curr_dir = os.path.dirname(os.path.realpath(__file__)) + self.kwargs.update({ + 'pn': self.create_random_name('azure-cli-test-policy', 30), + 'rf': os.path.join(curr_dir, 'sample_policy_rule.json').replace('\\', '\\\\'), + 'pdf': os.path.join(curr_dir, 'sample_policy_param_def.json').replace('\\', '\\\\'), + 'pdn': self.create_random_name('test_policy', 20), + 'desc': 'desc_for_test_policy_123', + 'padn': self.create_random_name('test_assignment', 20), + 'params': os.path.join(curr_dir, 'sample_policy_param.json').replace('\\', '\\\\') + }) + + self.cmd('policy definition create -n {pn} --rules {rf} --params {pdf} --display-name {pdn} --description {desc}', management_group, subscription) + + self.kwargs['pan_random'] = self.cmd('policy assignment create --policy {pn} --display-name {padn} -g {rg} --params {params}', checks=[ + self.check('displayName', '{padn}'), + self.check('sku.name', 'A0'), + self.check('sku.tier', 'Free'), + ]).get_output_in_json()['name'] + + # clean policy assignment and policy + self.cmd('policy assignment delete -n {pan_random} -g {rg}') + self.cmd('policy assignment list --disable-scope-strict-match', + checks=self.check("length([?name=='{pan_random}'])", 0)) + cmd = self.cmdstring('policy definition delete -n {pn}', management_group, subscription) + self.cmd(cmd) + time.sleep(10) + cmd = self.cmdstring('policy definition list', management_group, subscription) + self.cmd(cmd, checks=self.check("length([?name=='{pn}'])", 0)) + class ManagedAppDefinitionScenarioTest(ScenarioTest): @ResourceGroupPreparer()