Azure Auto-Checks Detailed Explanations
How to remediate failed Auto-Checks?
Articles
- Verify that Activity Log Alert exists for Create Policy Assignment
- Verify that That Microsoft Defender for SQL Servers on Machines Is Set To 'On'
- Verify that Activity Log Alert exists for Delete Public IP Address rule
- Verify that server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- Verify that 'Additional email addresses' is Configured with a Security Contact Email
- Verify that Microsoft Defender for Containers Is Set To 'On'
- Verify that 'Enforce SSL connection' is set to 'Enabled' for Standard MySQL Database Server
- Verify that SSH access from the Internet is evaluated and restricted
- Verify that 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- Verify that Activity Log Alert exists for Create or Update Public IP Address rule
- Verify that the Expiration Date is set for all Secrets in RBAC Key Vaults
- Verify that Activity Log Alert exists for Delete Security Solution
- Verify that 'Guest invite restrictions' is set to 'Only users assigned to specific admin roles can invite guest users'
- Verify that 'Auditing' Retention is 'greater than 90 days'
- Verify that the Key Vault is Recoverable
- Verify that 'Restrict non-admin users from creating tenants' is set to 'Yes'
- Verify that HTTP(S) access from the Internet is evaluated and restricted
- Verify that That Microsoft Defender for App Services Is Set To 'On'
- Verify that That 'All users with the following roles' is set to 'Owner'
- Verify that Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- Verify that That Private Endpoints Are Used Where Possible
- Verify that Private Endpoints are Used for Azure Key Vault
- Ensure Microsoft Defender for open-source relational databases is enabled
- Verify that 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- Verify that SQL server's Transparent Data Encryption (TDE) protector is encrypted
- Verify That Microsoft Defender for IoT Hub Is Set To 'On'
- Verify that Activity Log Alert exists for Create or Update Network Security Group
- Verify that the storage account containing the container with activity logs is encrypted with Customer Managed Key
- Verify that logging for Azure AppService 'HTTP logs' is enabled
- Verify that That 'Firewalls & Networks' Is Limited to Use Selected Networks Instead of All Networks
- Verify that 'TLS Version' is set to 'TLSV1.2' for MySQL flexible Database Server
- Verify that That Microsoft Defender for Storage Is Set To 'On'
- Verify that no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP)
- Verify that Activity Log Alert exists for Create or Update Security Solution
- Verify that server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- Enable Role Based Access Control for Azure Key Vault
- Verify that Activity Log Alert exists for Delete Network Security Group
- Verify that Application Insights are Configured.
- Verify that the Expiration Date is set for all Keys in RBAC Key Vaults
- Verify that server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- Verify that Diagnostic Setting captures appropriate categories
- Verify that RDP access from the Internet is evaluated and restricted
- Verify that Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- Verify that That 'Users Can Register Applications' Is Set to 'No'
- Verify that logging for Azure Key Vault is 'Enabled'
- Verify that Activity Log Alert exists for Delete Policy Assignment
- Verify that That 'Guest users access restrictions' is set to 'Guest user access is restricted to properties and memberships of their own directory objects'
- Verify that Activity Log Alert exists for Delete SQL Server Firewall Rule
- Verify that Activity Log Alert exists for Create or Update SQL Server Firewall Rule
- Verify that That 'Notify about alerts with the following severity' is Set to 'High'