diff --git a/PolicyInitiatives/ISM/ISM_mapping.xlsx b/PolicyInitiatives/ISM/ISM_mapping.xlsx new file mode 100644 index 0000000..020ce19 Binary files /dev/null and b/PolicyInitiatives/ISM/ISM_mapping.xlsx differ diff --git a/PolicyInitiatives/ISM/NZISM-ISM Document-V.-3.7-February-2024.pdf b/PolicyInitiatives/ISM/NZISM-ISM Document-V.-3.7-February-2024.pdf new file mode 100644 index 0000000..d0f82a2 Binary files /dev/null and b/PolicyInitiatives/ISM/NZISM-ISM Document-V.-3.7-February-2024.pdf differ diff --git a/PolicyInitiatives/ISM/NewZealandISM.json b/PolicyInitiatives/ISM/NewZealandISM.json new file mode 100644 index 0000000..8cb4a79 --- /dev/null +++ b/PolicyInitiatives/ISM/NewZealandISM.json @@ -0,0 +1,2895 @@ +{ + "properties": { + "displayName": "New Zealand ISM", + "policyType": "Custom", + "description": "New Zealand Information Security Manual (ISM) policy initiative. This policy set includes definitions that have a Deny effect by default", + "metadata": { + "category": "Regulatory Compliance", + "version": "1.0.0-preview", + "preview": true + }, + "version": "1.0.0-preview", + "policyDefinitionGroups": [ + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.2.5.C.01", + "description": "A baseline or known point of origin is the basis of any comparison and allows measurement of changes and improvements when further information security monitoring activities are conducted.", + "name": "New_Zealand_ISM_06.2.5.C.01", + "category": "06. Information security monitoring" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.2.6.C.01", + "description": "Vulnerabilities may occur as a result of poorly designed or implemented information security practices", + "name": "New_Zealand_ISM_06.2.6.C.01", + "category": "06. Information security monitoring" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_06.4.5.C.01", + "description": "Availability and recovery requirements will vary based on each agency s business needs and are likely to be widely variable across government. Agencies will determine their own availability and recovery requirements and implement measures consistent with the agency's SRMP to achieve them as part of their risk management and governance processes.", + "name": "New_Zealand_ISM_06.4.5.C.01", + "category": "06. Information security monitoring" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_07.1.7.C.02", + "description": "Processes and procedures for the detection of information security incidents will assist in mitigating attacks using the most common vectors in systems exploits.", + "name": "New_Zealand_ISM_07.1.7.C.02", + "category": "07. Information Security Incidents" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_07.2.22.C.01", + "description": "In the case of outsourcing of information technology services and functions", + "name": "New_Zealand_ISM_07.2.22.C.01", + "category": "07. Information Security Incidents" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_10.8.35.C.01", + "description": "Security architectures MUST apply the principles of separation and segregation.", + "name": "New_Zealand_ISM_10.8.35.C.01", + "category": "10. Infrastructure" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_12.4.4.C.02", + "description": "The assurance provided by an evaluation is related to the date at which the results were issued. Over the course of a normal product lifecycle", + "name": "New_Zealand_ISM_12.4.4.C.02", + "category": "12. Product Security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.1.8.C.01", + "description": "Antivirus and anti-malware software", + "name": "New_Zealand_ISM_14.1.8.C.01", + "category": "14. Software security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.1.9.C.01", + "description": "Whilst a SOE can be sufficiently hardened when it is deployed", + "name": "New_Zealand_ISM_14.1.9.C.01", + "category": "14. Software security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.2.4.C.01", + "description": "Application access control can be an effective mechanism to prevent the successful compromise of an agency system resulting from the exploitation of a vulnerability in an application or the execution of malicious code.", + "name": "New_Zealand_ISM_14.2.4.C.01", + "category": "14. Software security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_14.5.8.C.01", + "description": "The Open Web Application Security Project guide provides a comprehensive resource to consult when developing Web applications.", + "name": "New_Zealand_ISM_14.5.8.C.01", + "category": "14. Software security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.1.32.C.01", + "description": "Agencies MUST ensure that all system users are uniquely identifiable; and authenticated on each occasion that access is granted to a system.", + "name": "New_Zealand_ISM_16.1.32.C.01", + "category": "16. Access Control and Passwords" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.3.5.C.02", + "description": "Inappropriate use of any feature or facility of a system that enables a privileged user to override system or application controls can be a major contributory factor to failures", + "name": "New_Zealand_ISM_16.3.5.C.02", + "category": "16. Access Control and Passwords" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.4.30.C.01", + "description": "The requirement for an agency security policy is discussed and described in Chapter 5 Information Security Documentation.  A fundamental part of any security policy is the inclusion of requirements for the treatment of Privileged Accounts.  This is most conveniently contained in a Privileged Access Management (PAM) section within the agency s security policy.  A PAM policy is a fundamental component of an agency s IT Governance.", + "name": "New_Zealand_ISM_16.4.30.C.01", + "category": "16. Access Control and Passwords" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_16.4.32.C.01", + "description": "The approval and authorisation process for the granting of privileged access should be based on the requirement to manage and protect agency systems and assets or as an operational necessity only.", + "name": "New_Zealand_ISM_16.4.32.C.01", + "category": "16. Access Control and Passwords" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.1.55.C.03", + "description": "When encryption is applied to information being communicated over networks", + "name": "New_Zealand_ISM_17.1.55.C.03", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.1.58.C.01", + "description": "All cryptographic keys have a limited useful life after which the key should be replaced or retired. Typically the useful life of the cryptographic key (cryptoperiod) is use", + "name": "New_Zealand_ISM_17.1.58.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.19.C.01", + "description": "While ECDH should be used in preference to DH", + "name": "New_Zealand_ISM_17.2.19.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.22.C.01", + "description": "A field/key size of at least 384 bits for ECDH is now considered good practice by the cryptographic community.", + "name": "New_Zealand_ISM_17.2.22.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.2.24.C.01", + "description": "A modulus of at least 3072 bits for RSA is considered good practice by the cryptographic community.", + "name": "New_Zealand_ISM_17.2.24.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.4.16.C.01", + "description": "Whilst version 1.0 of SSL was never released", + "name": "New_Zealand_ISM_17.4.16.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.5.6.C.01", + "description": "The configuration directives provided are based on the OpenSSH implementation of SSH. Agencies implementing SSH will need to adapt these settings to suit other SSH implementations.", + "name": "New_Zealand_ISM_17.5.6.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.5.7.C.01", + "description": "Public key-based systems have greater potential for strong authentication", + "name": "New_Zealand_ISM_17.5.7.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.9.35.C.01", + "description": "The cryptographic system administrator is a highly privileged position which involves granting privileged access to a cryptographic system. Therefore extra precautions need to be put in place surrounding the security and vetting of the personnel as well as the access control procedures for individuals designated as cryptographic system administrators.", + "name": "New_Zealand_ISM_17.9.35.C.01", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_17.9.36.C.02", + "description": "As cryptographic equipment contains particularly sensitive information additional physical security measures need to be applied to the equipment.", + "name": "New_Zealand_ISM_17.9.36.C.02", + "category": "17. Cryptography" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.1.10.C.01", + "description": "If the network is not centrally managed", + "name": "New_Zealand_ISM_18.1.10.C.01", + "category": "18. Network security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.1.13.C.02", + "description": "If an attacker has limited opportunities to connect to a given network", + "name": "New_Zealand_ISM_18.1.13.C.02", + "category": "18. Network security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.4.7.C.02", + "description": "An IDS/IPS when configured correctly", + "name": "New_Zealand_ISM_18.4.7.C.02", + "category": "18. Network security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_18.4.8.C.01", + "description": "If the firewall is configured to block all traffic on a particular range of port numbers", + "name": "New_Zealand_ISM_18.4.8.C.01", + "category": "18. Network security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_22.1.24.C.03", + "description": "Cloud service providers may not provide adequate physical security and physical and logical access controls to meet agencies requirements.  An assessment of cloud service risks will include physical and systems security.  Refer also to Chapter 19 Gateway Security", + "name": "New_Zealand_ISM_22.1.24.C.03", + "category": "22. Enterprise systems security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_22.1.24.C.04", + "description": "Cloud service providers may not provide adequate physical security and physical and logical access controls to meet agencies requirements.  An assessment of cloud service risks will include physical and systems security.  Refer also to Chapter 19 Gateway Security", + "name": "New_Zealand_ISM_22.1.24.C.04", + "category": "22. Enterprise systems security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.3.19.C.01", + "description": "Credentials used to access public cloud services can be reused across cloud service providers", + "name": "New_Zealand_ISM_23.3.19.C.01", + "category": "23. Public Cloud Security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.4.10.C.01", + "description": "Many public cloud services are designed to make customer data directly accessible through multiple interfaces. These service endpoints may be internet-accessible by default", + "name": "New_Zealand_ISM_23.4.10.C.01", + "category": "23. Public Cloud Security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.4.9.C.01", + "description": "Agencies remain accountable for the confidentiality", + "name": "New_Zealand_ISM_23.4.9.C.01", + "category": "23. Public Cloud Security" + }, + { + "additionalMetadataId": "/providers/Microsoft.PolicyInsights/policyMetadata/New_Zealand_ISM_23.5.11.C.01", + "description": "It may not be possible", + "name": "New_Zealand_ISM_23.5.11.C.01", + "category": "23. Public Cloud Security" + } + ], + "parameters": { + "modeRequirement-1": { + "type": "String", + "metadata": { + "displayName": "Mode Requirement", + "description": "Mode required for all WAF policies" + }, + "allowedValues": [ + "Prevention", + "Detection" + ], + "defaultValue": "Detection" + }, + "audit_effect-1": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + }, + "deny_effect-1": { + "type": "String", + "metadata": { + "displayName": "Audit, deny or disable the execution of the policy", + "description": "Audit, deny or disable the execution of the policy" + }, + "allowedValues": [ + "Audit", + "Deny", + "Disabled" + ], + "defaultValue": "Deny" + }, + "evaluatedSkuNames-2": { + "type": "Array", + "metadata": { + "displayName": "Azure Spring Cloud SKU Names", + "description": "List of Azure Spring Cloud SKUs against which this policy will be evaluated." + }, + "allowedValues": [ + "Standard", + "Enterprise" + ], + "defaultValue": [ + "Standard", + "Enterprise" + ] + }, + "allowedIPAddresses-1": { + "type": "Array", + "metadata": { + "displayName": "Allowed IP addresses", + "description": "Array with allowed public IP addresses. An empty array is evaluated as to allow all IPs." + }, + "defaultValue": [] + }, + "IncludeArcMachines-1": { + "type": "String", + "metadata": { + "displayName": "Include Arc connected servers", + "description": "By selecting this option, you agree to be charged monthly per Arc connected machine.", + "portalReview": "true" + }, + "allowedValues": [ + "true", + "false" + ], + "defaultValue": "false" + }, + "minimumTlsVersion-2": { + "type": "String", + "metadata": { + "displayName": "Minimum TLS Version", + "description": "Minimum version of TLS required to access data in this storage account" + }, + "allowedValues": [ + "TLS1_0", + "TLS1_1", + "TLS1_2" + ], + "defaultValue": "TLS1_2" + }, + "forbiddenIPAddresses-1": { + "type": "Array", + "metadata": { + "displayName": "Forbidden IP addresses", + "description": "Array with forbidden public IP addresses. An empty array is evaluated as there are no forbidden IP addresses." + }, + "defaultValue": [] + }, + "LinuxPythonVersion-1": { + "type": "String", + "metadata": { + "displayName": "Linux Python version", + "description": "Specify a supported Python version for App Service" + }, + "defaultValue": "" + }, + "excludedNamespaces-1": { + "type": "Array", + "metadata": { + "displayName": "Namespace exclusions", + "description": "List of Kubernetes namespaces to exclude from policy evaluation. System namespaces \"kube-system\", \"gatekeeper-system\" and \"azure-arc\" are always excluded by design. \"azure-extensions-usage-system\" is optional to remove." + }, + "defaultValue": [ + "kube-system", + "gatekeeper-system", + "azure-arc", + "azure-extensions-usage-system" + ] + }, + "minimumRSAKeySize-1": { + "type": "Integer", + "metadata": { + "displayName": "Minimum RSA key size", + "description": "The minimum key size for RSA keys." + }, + "allowedValues": [ + 2048, + 3072, + 4096 + ] + }, + "excludedImages-1": { + "type": "Array", + "metadata": { + "displayName": "Image exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identifier is the image of container. Prefix-matching can be signified with `*`. For example: `myregistry.azurecr.io/istio:*`. It is recommended that users use the fully-qualified Docker image name (e.g. start with a domain name) in order to avoid unexpectedly exempting images from an untrusted repository.", + "portalReview": true + }, + "defaultValue": [] + }, + "LinuxJavaVersion-1": { + "type": "String", + "metadata": { + "displayName": "Linux Java version", + "description": "Specify a supported Java version for App Service" + }, + "defaultValue": "" + }, + "allowedECNames-1": { + "type": "Array", + "metadata": { + "displayName": "Allowed elliptic curve names", + "description": "The list of allowed curve names for elliptic curve cryptography certificates." + }, + "allowedValues": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ], + "defaultValue": [ + "P-256", + "P-256K", + "P-384", + "P-521" + ] + }, + "namespaces-1": { + "type": "Array", + "metadata": { + "displayName": "Namespace inclusions", + "description": "List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces." + }, + "defaultValue": [] + }, + "LinuxPHPVersion-1": { + "type": "String", + "metadata": { + "displayName": "Linux PHP version", + "description": "Specify a supported PHP version for App Service" + }, + "defaultValue": "" + }, + "evaluatedSkuNames-1": { + "type": "Array", + "metadata": { + "displayName": "API Management SKU Names", + "description": "List of API Management SKUs against which this policy will be evaluated." + }, + "allowedValues": [ + "Developer", + "Basic", + "Standard", + "Premium", + "Consumption" + ], + "defaultValue": [ + "Developer", + "Premium" + ] + }, + "MinimumTLSVersion-1": { + "type": "String", + "metadata": { + "displayName": "Minimum TLS version", + "description": "The minimum TLS protocol version that should be enabled. Windows machines with lower TLS versions will be marked as non-compliant." + }, + "allowedValues": [ + "1.1", + "1.2" + ], + "defaultValue": "1.2" + }, + "endpointType-1": { + "type": "String", + "metadata": { + "displayName": "Public Endpoint Type", + "description": "Public Endpoint Type for which to enforce the access check" + }, + "allowedValues": [ + "Management", + "Git", + "Gateway Configuration" + ], + "defaultValue": "Management" + }, + "labelSelector-1": { + "type": "Object", + "metadata": { + "displayName": "Kubernetes label selector", + "description": "Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources." + }, + "defaultValue": {}, + "schema": { + "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.", + "type": "object", + "properties": { + "matchLabels": { + "description": "matchLabels is a map of {key,value} pairs.", + "type": "object", + "additionalProperties": { + "type": "string" + }, + "minProperties": 1 + }, + "matchExpressions": { + "description": "matchExpressions is a list of values, a key, and an operator.", + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values.", + "type": "string", + "enum": [ + "In", + "NotIn", + "Exists", + "DoesNotExist" + ] + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.", + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "key", + "operator" + ], + "additionalProperties": false + }, + "minItems": 1 + } + }, + "additionalProperties": false + } + }, + "restrictIPAddresses-1": { + "type": "String", + "metadata": { + "displayName": "Would you like to restrict specific IP addresses?", + "description": "Select (Yes) to allow or forbid a list of IP addresses. If (No), the list of IP addresses won't have any effect in the policy enforcement" + }, + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "requiredRetentionDays-1": { + "type": "String", + "metadata": { + "displayName": "Required retention (days)", + "description": "The required resource logs retention in days" + }, + "defaultValue": "365" + }, + "setting-1": { + "type": "String", + "metadata": { + "displayName": "Desired Auditing setting" + }, + "allowedValues": [ + "enabled", + "disabled" + ], + "defaultValue": "enabled" + }, + "excludedContainers-1": { + "type": "Array", + "metadata": { + "displayName": "Containers exclusions", + "description": "The list of InitContainers and Containers to exclude from policy evaluation. The identify is the name of container. Use an empty list to apply this policy to all containers in all namespaces." + }, + "defaultValue": [] + }, + "warn-1": { + "type": "Boolean", + "metadata": { + "displayName": "Warn", + "description": "Whether or not to return warnings back to the user in the kubectl cli" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": false + }, + "excludedKinds-1": { + "type": "Array", + "metadata": { + "displayName": "Excluded Kinds", + "description": "The list of excluded API kinds for customer-managed key, default is the list of API kinds that don't have data stored in Cognitive Services" + }, + "defaultValue": [ + "CognitiveServices", + "Knowledge", + "LUIS", + "QnAMaker", + "TextAnalytics", + "ComputerVision", + "HealthDecisionSupport", + "ImmersiveReader" + ] + }, + "NotAvailableMachineState-1": { + "type": "String", + "metadata": { + "displayName": "Status if Windows Defender is not available on machine", + "description": "Windows Defender Exploit Guard is only available starting with Windows 10/Windows Server with update 1709. Setting this value to 'Non-Compliant' shows machines with older versions on which Windows Defender Exploit Guard is not available (such as Windows Server 2012 R2) as non-compliant. Setting this value to 'Compliant' shows these machines as compliant." + }, + "allowedValues": [ + "Compliant", + "Non-Compliant" + ], + "defaultValue": "Compliant" + } + }, + "policyDefinitions": [ + { + "policyDefinitionReferenceId": "A vulnerability assessment solution should be enabled on your virtual machines", + "groupNames": [ + "New_Zealand_ISM_06.2.5.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerability assessment should be enabled on SQL Managed Instance", + "groupNames": [ + "New_Zealand_ISM_06.2.5.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerability assessment should be enabled on your SQL servers", + "groupNames": [ + "New_Zealand_ISM_06.2.5.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL databases should have vulnerability findings resolved", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL servers on machines should have vulnerability findings resolved", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ba6d016-e7c3-4842-b8f2-4992ebc0d72d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerabilities in container security configurations should be remediated", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8cbc669-f12d-49eb-93e7-9273119e9933", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerabilities in security configuration on your machines should be remediated", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Vulnerabilities in security configuration on your virtual machine scale sets should be remediated", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Machines should have secret findings resolved", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3ac7c827-eea2-4bde-acc7-9568cd320efa", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure registry container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/090c7b07-b4ed-4561-ad20-e9075f3ccaff", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure running container images should have vulnerabilities resolved (powered by Microsoft Defender Vulnerability Management)", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17f4b1cc-c55c-4d94-b1f9-2978f6ac2957", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Configure Microsoft Defender for Containers to be enabled", + "groupNames": [ + "New_Zealand_ISM_06.2.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Audit virtual machines without disaster recovery configured", + "groupNames": [ + "New_Zealand_ISM_06.4.5.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for App Service should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2913021d-f2fd-4f3d-b958-22354e2bdbcb", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for Azure SQL Database servers should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7fe3b40f-802b-4cdd-8bd4-fd799c948cc2", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for Key Vault should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e6763cc-5078-4e64-889d-ff4d9a839047", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for open-source relational databases should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a9fbe0d-c5c4-4da8-87d8-f4fd77338835", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for Resource Manager should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3d20c29-b36d-48fe-808b-99a87530ad99", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for servers should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4da35fc9-c9e7-4960-aec9-797fe7d9051d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for SQL servers on machines should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6581d072-105e-4418-827f-bd446d56421b", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected Azure SQL servers", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected SQL Managed Instances", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Kubernetes Service clusters should have Defender profile enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1840de2-8088-4ea8-b153-b4c723e9cb01", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for Containers should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c988dd6-ade4-430f-a608-2a3e5b0a6d38", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for Storage should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/640d2586-54d2-465f-877f-9ffc1d2109f4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for APIs should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7926a6d1-b268-4586-8197-e8ae90c877d7", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for Azure Cosmos DB should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/adbe85b5-83e6-4350-ab58-bf3a4f736e5e", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Defender for SQL should be enabled for unprotected Synapse workspaces", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d31e5c31-63b2-4f12-887b-e49456834fa1", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Defender for SQL should be enabled for unprotected PostgreSQL flexible servers", + "groupNames": [ + "New_Zealand_ISM_07.1.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d38668f5-d155-42c7-ab3d-9b57b50f8fbf", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Email notification for high severity alerts should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.2.22.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6e2593d9-add6-4083-9c9b-4b7d2188c899", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Email notification to subscription owner for high severity alerts should be enabled", + "groupNames": [ + "New_Zealand_ISM_07.2.22.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b15565f-aa9e-48ba-8619-45960f2c314d", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Subscriptions should have a contact email address for security issues", + "groupNames": [ + "New_Zealand_ISM_07.2.22.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management services should use a virtual network", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", + "definitionVersion": "1.*.*", + "parameters": { + "evaluatedSkuNames": { + "value": "[parameters('evaluatedSkuNames-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Configuration should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca610c1d-041c-4332-9d88-7ed3094967c7", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure API for FHIR should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1ee56206-5dd1-42ab-b02d-8aae8b1634ce", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Cache for Redis should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7803067c-7d34-46e3-8c79-0ca68fc4036d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Event Grid domains should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9830b652-8523-49cc-b1b3-e17dce1127ca", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Event Grid topics should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4b90e17e-8448-49db-875e-bd83fb6f804f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Key Vaults should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6abeaec-4d90-4a02-805f-6b26c4d3fbe9", + "definitionVersion": "1.*.*", + "parameters": { + "audit_effect": { + "value": "[parameters('audit_effect-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning workspaces should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SignalR Service should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2393d2cf-a342-44cd-a2e2-fe0188fd1234", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Spring Cloud should use network injection", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af35e2a4-ef96-44e7-a9ae-853dd97032c4", + "definitionVersion": "1.*.*", + "parameters": { + "evaluatedSkuNames": { + "value": "[parameters('evaluatedSkuNames-2')]" + } + } + }, + { + "policyDefinitionReferenceId": "Container registries should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8eef0a8-67cf-4eb4-9386-14b0e78733d4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint connections on Azure SQL Database should be enabled", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7698e800-9299-47a6-b3b6-5a0fee576eed", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint connections on Batch accounts should be enabled", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/009a0c92-f5b4-4776-9b66-4ed2b4775563", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint should be enabled for MariaDB servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint should be enabled for MySQL servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Private endpoint should be enabled for PostgreSQL servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for MySQL flexible servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for PostgreSQL flexible servers", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should restrict network access using virtual network rules", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6edd7eda-6dd8-40f7-810d-67160c639cd9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "VM Image Builder templates should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2154edb9-244f-4741-9970-660785bccdaa", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Databricks Clusters should disable public IP", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51c1490f-3319-459c-bbbc-7f391bbed753", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Databricks Workspaces should disable public network access", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e7849de-b939-4c50-ab48-fc6b0f5eeba2", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Databricks Workspaces should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/258823f2-4595-4b52-b333-cc96192710d8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning Workspaces should disable public network access", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Cosmos DB should disable public network access", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Databricks Workspaces should be in a virtual network", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9c25c9e4-ee12-4882-afd2-11fb9d87893f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Managed Instances should disable public network access", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Cognitive Services should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cddd188c-4b82-4c48-a19d-ddf74ee66a01", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management should disable public network access to the service configuration endpoints", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", + "definitionVersion": "1.*.*", + "parameters": { + "endpointType": { + "value": "[parameters('endpointType-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "CosmosDB accounts should use private link", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/58440f8a-10c5-4151-bdce-dfbaad4a20b7", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning Computes should be in a virtual network", + "groupNames": [ + "New_Zealand_ISM_10.8.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "System updates on virtual machine scale sets should be installed", + "groupNames": [ + "New_Zealand_ISM_12.4.4.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3f317a7-a95c-4547-b7e7-11017ebdf2fe", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "System updates should be installed on your machines", + "groupNames": [ + "New_Zealand_ISM_12.4.4.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86b3d65f-7626-441e-b690-81a8b71cff60", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Machines should be configured to periodically check for missing system updates", + "groupNames": [ + "New_Zealand_ISM_12.4.4.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd876905-5b84-4f73-ab2d-2e7a7c4568d9", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning compute instances should be recreated to get the latest software updates", + "groupNames": [ + "New_Zealand_ISM_12.4.4.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", + "definitionVersion": "1.*.*", + "parameters": { + "effects": { + "value": "[parameters('audit_effect-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps should have remote debugging turned off", + "groupNames": [ + "New_Zealand_ISM_14.1.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should have remote debugging turned off", + "groupNames": [ + "New_Zealand_ISM_14.1.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Management ports should be closed on your virtual machines", + "groupNames": [ + "New_Zealand_ISM_14.1.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Role-Based Access Control (RBAC) should be used on Kubernetes Services", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Endpoint protection health issues should be resolved on your machines", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e42c1f2-a2ab-49bc-994a-12bcd0dc4ac2", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Endpoint protection should be installed on your machines", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f7c564c-0a90-4d44-b7e1-9d456cffaee8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Endpoint protection solution should be installed on virtual machine scale sets", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/26a828e1-e88f-464e-bbb3-c134a282b9de", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Guest Configuration extension should be installed on your machines", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae89ebca-1c92-4898-ac2c-9f63decb045c", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Kubernetes cluster containers should not share host process ID or host IPC namespace", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", + "definitionVersion": "5.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes cluster containers should run with a read only root file system", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df49d893-a74c-421d-bc95-c663042e5b80", + "definitionVersion": "6.*.*", + "parameters": { + "warn": { + "value": "[parameters('warn-1')]" + }, + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes cluster should not allow privileged containers", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "definitionVersion": "9.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should be accessible only over HTTPS", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "definitionVersion": "8.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should disable automounting API credentials", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/423dd1ba-798e-40e4-9c4d-b6902674b423", + "definitionVersion": "4.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should not allow container privilege escalation", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "definitionVersion": "7.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d2e7ea85-6b44-4317-a0be-1b951587f626", + "definitionVersion": "5.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "excludedImages": { + "value": "[parameters('excludedImages-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "excludedContainers": { + "value": "[parameters('excludedContainers-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Kubernetes clusters should not use the default namespace", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", + "definitionVersion": "4.*.*", + "parameters": { + "excludedNamespaces": { + "value": "[parameters('excludedNamespaces-1')]" + }, + "labelSelector": { + "value": "[parameters('labelSelector-1')]" + }, + "namespaces": { + "value": "[parameters('namespaces-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Management ports of virtual machines should be protected with just-in-time network access control", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft Antimalware for Azure should be configured to automatically update protection signatures", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Microsoft IaaSAntimalware extension should be deployed on Windows servers", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9b597639-28e4-48eb-b506-56b05d366257", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Monitor missing Endpoint Protection in Azure Security Center", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/af6cd1bd-1635-48cb-bde7-5b15693900b9", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Virtual machines- Guest Configuration extension should be deployed with system-assigned managed identity", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d26f7642-7545-4e18-9b75-8c9bbdee3a9a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Windows Defender Exploit Guard should be enabled on your machines", + "groupNames": [ + "New_Zealand_ISM_14.1.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bed48b13-6647-468e-aa2f-1af1d3f4dd40", + "definitionVersion": "2.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines-1')]" + }, + "NotAvailableMachineState": { + "value": "[parameters('NotAvailableMachineState-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Adaptive application controls for defining safe applications should be enabled on your machines", + "groupNames": [ + "New_Zealand_ISM_14.2.4.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a6b606-51aa-4496-8bb7-64b11cf66adc", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Allowlist rules in your adaptive application control policy should be updated", + "groupNames": [ + "New_Zealand_ISM_14.2.4.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/123a3936-f020-408a-ba0c-47873faf1534", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should have authentication enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95bccee9-a7f8-4bec-9ee9-62c3473701fc", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should not have CORS configured to allow every resource to access your apps", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should only be accessible over HTTPS", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should require FTPS only", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should use latest -HTTP Version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c122334-9d20-4eb8-89ea-ac9a705b74ae", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps that use Java should use a specified -Java version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/496223c3-ad65-4ecd-878a-bae78737e9ed", + "definitionVersion": "3.*.*", + "parameters": { + "LinuxJavaVersion": { + "value": "[parameters('LinuxJavaVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps that use PHP should use a specified -PHP version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7261b898-8a84-4db8-9e04-18527132abb3", + "definitionVersion": "3.*.*", + "parameters": { + "LinuxPHPVersion": { + "value": "[parameters('LinuxPHPVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps that use Python should use a specified -Python version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7008174a-fd10-4ef0-817e-fc820a951d73", + "definitionVersion": "4.*.*", + "parameters": { + "LinuxPythonVersion": { + "value": "[parameters('LinuxPythonVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Function apps should have authentication enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c75248c1-ea1d-4a9c-8fc9-29a6aabd5da8", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should not have CORS configured to allow every resource to access your apps", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should only be accessible over HTTPS", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", + "definitionVersion": "5.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should require FTPS only", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should use latest -HTTP Version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e2c1c086-2d84-4019-bff3-c44ccd95113c", + "definitionVersion": "4.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps that use Java should use a specified -Java version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc", + "definitionVersion": "3.*.*", + "parameters": { + "LinuxJavaVersion": { + "value": "[parameters('LinuxJavaVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Function apps that use Python should use a specified -Python version-", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7238174a-fd10-4ef0-817e-fc820a951d73", + "definitionVersion": "4.*.*", + "parameters": { + "LinuxPythonVersion": { + "value": "[parameters('LinuxPythonVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps should have Client Certificates (Incoming client certificates) enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19dd1db6-f442-49cf-a838-b0786b4401ef", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service app slots should have Client Certificates (Incoming client certificates) enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b0bd968-5cb5-4513-8987-27786c6f0df8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should have Client Certificates (Incoming client certificates) enabled", + "groupNames": [ + "New_Zealand_ISM_14.5.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ab6a902f-9493-453b-928d-62c30b11b5a6", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should use managed identity", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Database should have Microsoft Entra-only authentication enabled during creation", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Cosmos DB database accounts should have local authentication methods disabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should use managed identity", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Service Fabric clusters should only use Azure Active Directory for client authentication", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management calls to API backends should be authenticated", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should prevent shared key access", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0c28c3fb-c244-42d5-a9bf-f35f2999577b", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "A Microsoft Entra administrator should be provisioned for MySQL servers", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/146412e9-005c-472b-9e48-c87b72ac229e", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure MySQL flexible server should have Microsoft Entra Only Authentication enabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/40e85574-ef33-47e8-a854-7a65c7500560", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Synapse Workspaces should have Microsoft Entra-only authentication enabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6ea81a52-5ca7-4575-9669-eaa910b7edf8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure AI Services resources should have key access disabled (disable local authentication)", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure SQL Database should have Microsoft Entra-only authentication enabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b3a22bc9-66de-45fb-98fa-00f5df42f41a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "A Microsoft Entra administrator should be provisioned for PostgreSQL servers", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4dec045-250a-48c2-b5cc-e0c4eec8b5b4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning Computes should have local authentication methods disabled", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API endpoints in Azure API Management should be authenticated", + "groupNames": [ + "New_Zealand_ISM_16.1.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac833bd-f505-48d5-887e-c993a1d3eea0", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "A maximum of 3 owners should be designated for your subscription", + "groupNames": [ + "New_Zealand_ISM_16.3.5.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Blocked accounts with owner permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Blocked accounts with read and write permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Guest accounts with owner permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Guest accounts with read permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Guest accounts with write permissions on Azure resources should be removed", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "There should be more than one owner assigned to your subscription", + "groupNames": [ + "New_Zealand_ISM_16.4.30.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "An Azure Active Directory administrator should be provisioned for SQL servers", + "groupNames": [ + "New_Zealand_ISM_16.4.32.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management APIs should use only encrypted protocols", + "groupNames": [ + "New_Zealand_ISM_17.1.55.C.03" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Key Vault keys should have an expiration date", + "groupNames": [ + "New_Zealand_ISM_17.1.58.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Key Vault secrets should have an expiration date", + "groupNames": [ + "New_Zealand_ISM_17.1.58.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage account keys should not be expired", + "groupNames": [ + "New_Zealand_ISM_17.1.58.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Keys using RSA cryptography should have a specified minimum key size", + "groupNames": [ + "New_Zealand_ISM_17.2.19.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9", + "definitionVersion": "1.*.*", + "parameters": { + "minimumRSAKeySize": { + "value": "[parameters('minimumRSAKeySize-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Keys using elliptic curve cryptography should have the specified curve names", + "groupNames": [ + "New_Zealand_ISM_17.2.22.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255", + "definitionVersion": "1.*.*", + "parameters": { + "allowedECNames": { + "value": "[parameters('allowedECNames-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Certificates using RSA cryptography should have the specified minimum key size", + "groupNames": [ + "New_Zealand_ISM_17.2.24.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0", + "definitionVersion": "2.*.*", + "parameters": { + "minimumRSAKeySize": { + "value": "[parameters('minimumRSAKeySize-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "App Service apps should use the latest TLS version", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Function apps should use the latest TLS version", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Windows machines should be configured to use secure communication protocols", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5752e6d6-1206-46d8-8ab1-ecc2f71a8112", + "definitionVersion": "4.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines-1')]" + }, + "MinimumTLSVersion": { + "value": "[parameters('MinimumTLSVersion-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Azure SQL Database should be running TLS version 1.2 or newer", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should have the specified minimum TLS version", + "groupNames": [ + "New_Zealand_ISM_17.4.16.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", + "definitionVersion": "1.*.*", + "parameters": { + "minimumTlsVersion": { + "value": "[parameters('minimumTlsVersion-2')]" + } + } + }, + { + "policyDefinitionReferenceId": "IP Forwarding on your virtual machine should be disabled", + "groupNames": [ + "New_Zealand_ISM_17.5.6.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Authentication to Linux machines should require SSH keys", + "groupNames": [ + "New_Zealand_ISM_17.5.7.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/630c64f9-8b6b-4c64-b511-6544ceff6fd6", + "definitionVersion": "3.*.*", + "parameters": { + "IncludeArcMachines": { + "value": "[parameters('IncludeArcMachines-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Azure Key Vault should use RBAC permission model", + "groupNames": [ + "New_Zealand_ISM_17.9.35.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management secret named values should be stored in Azure Key Vault", + "groupNames": [ + "New_Zealand_ISM_17.9.36.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Adaptive network hardening recommendations should be applied on internet facing virtual machines", + "groupNames": [ + "New_Zealand_ISM_18.1.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08e6af2d-db70-460a-bfe9-d5bd474ba9d6", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "All network ports should be restricted on network security groups associated to your virtual machine", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9daedab3-fb2d-461e-b861-71790eead4f6", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Authorized IP ranges should be defined on Kubernetes Services", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure AI Services resources should restrict network access", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Cosmos DB accounts should have firewall rules", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", + "definitionVersion": "2.*.*", + "parameters": { + "effect": { + "value": "[parameters('deny_effect-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Azure Key Vault should have firewall enabled", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490", + "definitionVersion": "3.*.*", + "parameters": { + "allowedIPAddresses": { + "value": "[parameters('allowedIPAddresses-1')]" + }, + "forbiddenIPAddresses": { + "value": "[parameters('forbiddenIPAddresses-1')]" + }, + "restrictIPAddresses": { + "value": "[parameters('restrictIPAddresses-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Container registries should not allow unrestricted network access", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "CORS should not allow every domain to access your API for FHIR", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fea8f8a-4169-495d-8307-30ec335f387d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Enforce SSL connection should be enabled for MySQL database servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Enforce SSL connection should be enabled for PostgreSQL database servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Internet-facing virtual machines should be protected with network security groups", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Non-internet-facing virtual machines should be protected with network security groups", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bb91dfba-c30d-4263-9add-9c2384e659a6", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Only secure connections to your Azure Cache for Redis should be enabled", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access on Azure SQL Database should be disabled", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for MariaDB servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for MySQL servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Public network access should be disabled for PostgreSQL servers", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Secure transfer to storage accounts should be enabled", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should restrict network access", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Subnets should be associated with a Network Security Group", + "groupNames": [ + "New_Zealand_ISM_18.1.13.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure DDoS Protection should be enabled", + "groupNames": [ + "New_Zealand_ISM_18.4.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Connection throttling should be enabled for PostgreSQL database servers", + "groupNames": [ + "New_Zealand_ISM_18.4.7.C.02" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5345bb39-67dc-4960-a1bf-427e16b9a0bd", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "All authorization rules except RootManageSharedAccessKey should be removed from Service Bus namespace", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Web Application Firewall should be enabled for Azure Front Door entry-points", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should be enabled for Application Gateway", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should use the specified mode for Application Gateway", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", + "definitionVersion": "1.*.*", + "parameters": { + "modeRequirement": { + "value": "[parameters('modeRequirement-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Web Application Firewall (WAF) should use the specified mode for Azure Front Door Service", + "groupNames": [ + "New_Zealand_ISM_18.4.8.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", + "definitionVersion": "1.*.*", + "parameters": { + "modeRequirement": { + "value": "[parameters('modeRequirement-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "API endpoints that are unused should be disabled and removed from the Azure API Management service", + "groupNames": [ + "New_Zealand_ISM_22.1.24.C.03" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c8acafaf-3d23-44d1-9624-978ef0f8652c", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Virtual machines and virtual machine scale sets should have encryption at host enabled", + "groupNames": [ + "New_Zealand_ISM_22.1.24.C.04" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Accounts with owner permissions on Azure resources should be MFA enabled", + "groupNames": [ + "New_Zealand_ISM_23.3.19.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Accounts with read permissions on Azure resources should be MFA enabled", + "groupNames": [ + "New_Zealand_ISM_23.3.19.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Accounts with write permissions on Azure resources should be MFA enabled", + "groupNames": [ + "New_Zealand_ISM_23.3.19.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management minimum API version should be set to 2019-12-01 or higher", + "groupNames": [ + "New_Zealand_ISM_23.4.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management subscriptions should not be scoped to all APIs", + "groupNames": [ + "New_Zealand_ISM_23.4.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management direct management endpoint should not be enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "API Management calls to API backends should not bypass certificate thumbprint or name validation", + "groupNames": [ + "New_Zealand_ISM_23.4.10.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Automation account variables should be encrypted", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Key Vault Managed HSM should have purge protection enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Azure Machine Learning workspaces should be encrypted with a customer-managed key", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Cognitive Services accounts should enable data encryption with a customer-managed key", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "definitionVersion": "2.*.*", + "parameters": { + "excludedKinds": { + "value": "[parameters('excludedKinds-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Container registries should be encrypted with a customer-managed key", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Disk encryption should be enabled on Azure Data Explorer", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Key vaults should have deletion protection enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Key vaults should have soft delete enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "MySQL servers should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "PostgreSQL servers should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Require encryption on Data Lake Store accounts", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a7ff3161-0087-490a-9ad9-ad6217f4f43a", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL managed instances should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL servers should use customer-managed keys to encrypt data at rest", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Storage accounts should use customer-managed key for encryption", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Transparent Data Encryption on SQL databases should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.4.9.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12", + "definitionVersion": "2.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "App Service apps should have resource logs enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510", + "definitionVersion": "2.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Audit usage of custom RBAC roles", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Auditing on SQL server should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "definitionVersion": "2.*.*", + "parameters": { + "setting": { + "value": "[parameters('setting-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Auto provisioning of the Log Analytics agent should be enabled on your subscription", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/475aae12-b88a-4572-8b36-9b712b2b3a17", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Disconnections should be logged for PostgreSQL database servers.", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e446", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Log connections should be enabled for PostgreSQL database servers", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb6f77b9-bd53-4e35-a23d-7f65d5f0e442", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Resource logs in Azure Data Lake Store should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Azure Kubernetes Service should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/245fc9df-fa96-4414-9a0b-3738c2f7341c", + "definitionVersion": "1.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Azure Stream Analytics should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Batch accounts should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Data Lake Analytics should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Event Hub should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in IoT Hub should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4", + "definitionVersion": "3.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Key Vault should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Logic Apps should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Search services should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "Resource logs in Service Bus should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45", + "definitionVersion": "5.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + }, + { + "policyDefinitionReferenceId": "SQL servers with auditing to storage account destination should be configured with 90 days retention or higher", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743", + "definitionVersion": "3.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6283572-73bb-4deb-bf2c-7a2b8f7462cb", + "definitionVersion": "1.*.*", + "parameters": {} + }, + { + "policyDefinitionReferenceId": "Resource logs in Azure Machine Learning Workspaces should be enabled", + "groupNames": [ + "New_Zealand_ISM_23.5.11.C.01" + ], + "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", + "definitionVersion": "1.*.*", + "parameters": { + "requiredRetentionDays": { + "value": "[parameters('requiredRetentionDays-1')]" + } + } + } + ] + }, + "id": "/providers/Microsoft.Authorization/policySetDefinitions/4f5b1359-4f8e-4d7c-9733-ea47fcde891e", + "name": "4f5b1359-4f8e-4d7c-9733-ea47fcde891e" + } \ No newline at end of file diff --git a/PolicyInitiatives/ISM/README.md b/PolicyInitiatives/ISM/README.md new file mode 100644 index 0000000..858c266 --- /dev/null +++ b/PolicyInitiatives/ISM/README.md @@ -0,0 +1,14 @@ +# New Zealand Information Security Manual (ISM) Policy Initiative + The New Zealand ISM Policy Initiative aids in meeting the New Zealand Information Security Manual (ISM) Policy control objectives. The policy initiatives and files contained in this repository are intended to serve as a starting point. Please note that these files are not intended to be final or comprehensive solutions, but rather a helpful resource to jumpstart your efforts. + +**Important** Organizations are wholly responsible for ensuring their own compliance with all applicable laws and regulations. The information provided in this document does not constitute legal advice, and organizations should consult their legal advisors for any questions regarding regulatory compliance. + +The evidence against each security measure and its corresponding security controls shall be assessed to determine whether it meets the security requirements. If the security requirements are not fulfilled, the outstanding risks shall be identified. The SAA and/or NCSP shall identify any additional security measures and controls needed to attain an acceptable residual risk, which would be implemented by the NCSP and/or CSP. + +The contents of this ISM Policy Initiative are: + 1. New Zealand ISM Policy documentation. Reference to the New Zealand ISM official documentation which walks through the control objectives. This publication offers a comprehensive collection of controls for cloud service consumers to protect organizational operations from a diverse set of threats and risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. + + 2. Mapping File. A file that maps the ISM Control Objectives to Azure Policies. The mapping file enables the user to identify what Azure Policies are being used to meet ISM control objectives. Each Control ID in the mapping files contains the Control Domain, Control Title, Control Description, Azure Policy Name, Azure Policy Reference ID, and Azure Policy Definition ID. An explanation of each Control can be found in the ISM Policy documentation. + + ### Contributions + Changes can not be made to the policy initiative directly in this repo. If you find an issue, feel free to open a PR with the proposed fix. diff --git a/scripts/New-PolicySets.ps1 b/scripts/New-PolicySets.ps1 index 69cf2ec..e2ea5db 100644 --- a/scripts/New-PolicySets.ps1 +++ b/scripts/New-PolicySets.ps1 @@ -59,8 +59,7 @@ function New-InstallPolicySets { -Metadata $varPolicyMetadata ` -Parameter $varPolicyParameters ` -GroupDefinition $varPolicyDefinitionGroups ` - -ManagementGroupName $parManagementGroupId ` - -ApiVersion "2023-04-01" + -ManagementGroupName $parManagementGroupId } else { @@ -71,8 +70,7 @@ function New-InstallPolicySets { -PolicyDefinition $varPolicyDefinitions ` -Metadata $varPolicyMetadata ` -Parameter $varPolicyParameters ` - -ManagementGroupName $parManagementGroupId ` - -ApiVersion "2023-04-01" + -ManagementGroupName $parManagementGroupId } @@ -85,7 +83,15 @@ function New-InstallPolicySets { } } catch { + $varError = "{0} : {1}`n{2}`n" + ` + " + CategoryInfo : {3}`n" + ` + " + FullyQualifiedErrorId : {4}`n" + $varErrorProperties = $_.InvocationInfo.MyCommand.Name, $_.ErrorDetails.Message, ` + $_.InvocationInfo.PositionMessage, $_.CategoryInfo.ToString(), ` + $_.FullyQualifiedErrorId + $varFormattedError = $varError -f $varErrorProperties $varLoopCounter++ + Write-Host -Foreground Red -Background Black $varFormattedError if ($varLoopCounter -lt $varMaxRetryAttemptTransientErrorRetry) { Write-Information ">>> Retrying policy deployment after waiting for $varRetryWaitTimeTransientErrorRetry secs" -InformationAction Continue Start-Sleep -Seconds $varRetryWaitTimeTransientErrorRetry diff --git a/scripts/README.md b/scripts/README.md index da3867e..0c2ded8 100644 --- a/scripts/README.md +++ b/scripts/README.md @@ -1,9 +1,22 @@ # Overview -This is a PowerShell script to help users deploy our policy sets files to deployed Sovereign Landing Zones (SLZ). +This is a PowerShell script to help users deploy our policy sets files to a deployed Sovereign Landing Zone (SLZ). # Setup and run 1. Install PowerShell 7. 1. Open PowerShell 7 and navigate to this directory. 1. Then type `.\New-PolicySets.ps1` and follow the prompts to provide the inputs needed to install the policy sets. + +# FAQ + +## How can I authenticate when MFA is enabled? +Examples scenarios of how to use Connect-AzAccount when multi-factor authentication is enabled: https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount + +# Still facing issues with authentication? +Ensure you are running the script in PowerShell 7. Try to clear all local account context, some examples of commands to run for clearing the context include: +```ps +Clear-AzContext +az logout +az login +```