Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The following article details how the Azure Policy Regulatory Compliance built-in initiative definition maps to compliance domains and controls in Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM. To understand Ownership, review the policy type and Shared responsibility in the cloud.
The following mappings are to the Canada Federal PBMM controls. Many of the controls are implemented with an Azure Policy initiative definition. To review the complete initiative definition, open Policy in the Azure portal and select the Definitions page. Then, find and select the Canada Federal PBMM Regulatory Compliance built-in initiative definition.
Important
Each control below is associated with one or more Azure Policy definitions. These policies may help you assess compliance with the control; however, there often is not a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policy definitions themselves; this doesn't ensure you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between compliance domains, controls, and Azure Policy definitions for this compliance standard may change over time. To view the change history, see the GitHub Commit History.
Access Control
Account Management
ID: CCCS AC-2
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Blocked accounts with owner permissions on Azure resources should be removed | Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 | 
| Blocked accounts with read and write permissions on Azure resources should be removed | Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. | AuditIfNotExists, Disabled | 1.0.0 | 
| Guest accounts with owner permissions on Azure resources should be removed | External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 | 
| Guest accounts with read permissions on Azure resources should be removed | External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 | 
| Guest accounts with write permissions on Azure resources should be removed | External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. | AuditIfNotExists, Disabled | 1.0.0 | 
Account Management | Role-Based Schemes
ID: CCCS AC-2(7)
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| An Azure Active Directory administrator should be provisioned for SQL servers | Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services | AuditIfNotExists, Disabled | 1.0.0 | 
| Service Fabric clusters should only use Azure Active Directory for client authentication | Audit usage of client authentication only via Azure Active Directory in Service Fabric | Audit, Deny, Disabled | 1.1.0 | 
Information Flow Enforcement
ID: CCCS AC-4
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| App Service apps should not have CORS configured to allow every resource to access your apps | Cross-Origin Resource Sharing (CORS) should not allow all domains to access your app. Allow only required domains to interact with your app. | AuditIfNotExists, Disabled | 2.0.0 | 
Separation of Duties
ID: CCCS AC-5
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 | 
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | auditIfNotExists | 2.0.0 | 
| Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | auditIfNotExists | 2.0.0 | 
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.3.0 | 
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 | 
Least Privilege
ID: CCCS AC-6
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| A maximum of 3 owners should be designated for your subscription | It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. | AuditIfNotExists, Disabled | 3.0.0 | 
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Audit Windows machines missing any of specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. | auditIfNotExists | 2.0.0 | 
| Audit Windows machines that have the specified members in the Administrators group | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. | auditIfNotExists | 2.0.0 | 
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.3.0 | 
| There should be more than one owner assigned to your subscription | It is recommended to designate more than one subscription owner in order to have administrator access redundancy. | AuditIfNotExists, Disabled | 3.0.0 | 
Remote Access | Automated Monitoring / Control
ID: CCCS AC-17(1)
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| App Service apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on an App Service app. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.0.0 | 
| Audit Linux machines that allow remote connections from accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that allow remote connections from accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 | 
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.2.0 | 
| Function apps should have remote debugging turned off | Remote debugging requires inbound ports to be opened on Function apps. Remote debugging should be turned off. | AuditIfNotExists, Disabled | 2.1.0 | 
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 | 
Audit and Accountability
Response to Audit Processing Failures
ID: CCCS AU-5
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 | 
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 | 
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 | 
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 | 
Audit Generation
ID: CCCS AU-12
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Audit diagnostic setting for selected resource types | Audit diagnostic setting for selected resource types. Be sure to select only resource types which support diagnostics settings. | AuditIfNotExists | 2.0.1 | 
| Auditing on SQL server should be enabled | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. | AuditIfNotExists, Disabled | 2.0.0 | 
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 | 
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 | 
Contingency Planning
Alternative Processing Site
ID: CCCS CP-7
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Audit virtual machines without disaster recovery configured | Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. | auditIfNotExists | 1.0.0 | 
Identification and Authentication
Authenticator Management
ID: CCCS IA-5
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Audit Linux machines that do not have the passwd file permissions set to 0644 | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that do not have the passwd file permissions set to 0644 | AuditIfNotExists, Disabled | 3.1.0 | 
| Audit Linux machines that have accounts without passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Linux machines that have accounts without passwords | AuditIfNotExists, Disabled | 3.1.0 | 
| Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs | This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 3.2.0 | 
Authenticator Management | Password-Based Authentication
ID: CCCS IA-5(1)
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity | This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol. | modify | 4.1.0 | 
| Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that allow re-use of the passwords after the specified number of unique passwords. Default value for unique passwords is 24 | AuditIfNotExists, Disabled | 2.1.0 | 
| Audit Windows machines that do not have the maximum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the maximum password age set to specified number of days. Default value for maximum password age is 70 days | AuditIfNotExists, Disabled | 2.1.0 | 
| Audit Windows machines that do not have the minimum password age set to specified number of days | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the minimum password age set to specified number of days. Default value for minimum password age is 1 day | AuditIfNotExists, Disabled | 2.1.0 | 
| Audit Windows machines that do not have the password complexity setting enabled | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not have the password complexity setting enabled | AuditIfNotExists, Disabled | 2.0.0 | 
| Audit Windows machines that do not restrict the minimum password length to specified number of characters | Requires that prerequisites are deployed to the policy assignment scope. For details, visit https://aka.ms/gcpol. Machines are non-compliant if Windows machines that do not restrict the minimum password length to specified number of characters. Default value for minimum password length is 14 characters | AuditIfNotExists, Disabled | 2.1.0 | 
| Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs | This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol. | deployIfNotExists | 1.3.0 | 
Risk Assessment
Vulnerability Scanning
ID: CCCS RA-5
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| A vulnerability assessment solution should be enabled on your virtual machines | Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. | AuditIfNotExists, Disabled | 3.0.0 | 
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 | 
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 | 
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 | 
System and Communications Protection
Denial of Service Protection
ID: CCCS SC-5
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Azure DDoS Protection should be enabled | DDoS protection should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. | AuditIfNotExists, Disabled | 3.0.1 | 
Boundary Protection
ID: CCCS SC-7
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| All network ports should be restricted on network security groups associated to your virtual machine | Azure Security Center has identified some of your network security groups' inbound rules to be too permissive. Inbound rules should not allow access from 'Any' or 'Internet' ranges. This can potentially enable attackers to target your resources. | AuditIfNotExists, Disabled | 3.0.0 | 
| Storage accounts should restrict network access | Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges | Audit, Deny, Disabled | 1.1.1 | 
Boundary Protection | Access Points
ID: CCCS SC-7(3)
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 | 
Boundary Protection | External Telecommunications Services
ID: CCCS SC-7(4)
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Management ports of virtual machines should be protected with just-in-time network access control | Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations | AuditIfNotExists, Disabled | 3.0.0 | 
Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection
ID: CCCS SC-8(1)
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| App Service apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 4.0.0 | 
| Function apps should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. | Audit, Disabled, Deny | 5.1.0 | 
| Only secure connections to your Azure Cache for Redis should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 1.0.0 | 
| Secure transfer to storage accounts should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit, Deny, Disabled | 2.0.0 | 
| Windows machines should be configured to use secure communication protocols | To protect the privacy of information communicated over the Internet, your machines should use the latest version of the industry-standard cryptographic protocol, Transport Layer Security (TLS). TLS secures communications over a network by encrypting a connection between machines. | AuditIfNotExists, Disabled | 4.1.1 | 
Protection of Information at Rest
ID: CCCS SC-28
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 | 
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 | 
| Transparent Data Encryption on SQL databases should be enabled | Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements | AuditIfNotExists, Disabled | 2.0.0 | 
System and Information Integrity
Flaw Remediation
ID: CCCS SI-2
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| SQL databases should have vulnerability findings resolved | Monitor vulnerability assessment scan results and recommendations for how to remediate database vulnerabilities. | AuditIfNotExists, Disabled | 4.1.0 | 
Information System Monitoring
ID: CCCS SI-4
| Name (Azure portal) | Description | Effect(s) | Version (GitHub) | 
|---|---|---|---|
| Azure Defender for SQL should be enabled for unprotected Azure SQL servers | Audit SQL servers without Advanced Data Security | AuditIfNotExists, Disabled | 2.0.1 | 
| Azure Defender for SQL should be enabled for unprotected SQL Managed Instances | Audit each SQL Managed Instance without advanced data security. | AuditIfNotExists, Disabled | 1.0.2 | 
Next steps
Additional articles about Azure Policy:
- Regulatory Compliance overview.
- See the initiative definition structure.
- Review other examples at Azure Policy samples.
- Review Understanding policy effects.
- Learn how to remediate non-compliant resources.