[Deprecated]: Azure Security Benchmark v1

Azure BuiltIn Policy Initiative (PolicySet)

Policy types

Policy states

Policy categories

Total Policies: 107
Builtin Policies: 107
Static Policies: 0

Deprecated: 6
GA: 99
Preview: 2

22 categories:

App Service: 14
Automation: 1
Backup: 1
Batch: 1
Cache: 1
Compute: 4
Data Lake: 2
Event Hub: 1
General: 1
Guest Configuration: 11
Internet of Things: 1
Key Vault: 2
Logic Apps: 1
Monitoring: 4
Network: 11
Search: 1
Security Center: 23
Service Bus: 1
Service Fabric: 2
SQL: 20
Storage: 3
Stream Analytics: 1

Rows: 1-10 / 107

Records:

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi

Page of 11

Policy DisplayName

Policy Id

Category

Version

Versioning

Effect

Roles#

Roles

State

policy in AzUSGov

[Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled

e3e008c3-56b9-4133-8fd7-d3347377402a

Security Center

1.1.0 (1.1.0-deprecated)

2x
1.1.0, 1.0.0

Default
Disabled
Allowed
AuditIfNotExists, Disabled

Deprecated

true

[Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled

81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4

Security Center

1.1.0 (1.1.0-deprecated)

2x
1.1.0, 1.0.0

Default
Disabled
Allowed
AuditIfNotExists, Disabled

Deprecated

true

[Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled

931e118d-50a1-4457-a5e4-78550e086c52

Security Center

1.1.0 (1.1.0-deprecated)

2x
1.1.0, 1.0.0

Default
Disabled
Allowed
AuditIfNotExists, Disabled

Deprecated

true

[Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled

7c1b1214-f927-48bf-8882-84f0af6588b1

Compute

2.2.0 (2.2.0-deprecated)

2x
2.2.0, 2.1.0

Default
Disabled
Allowed
AuditIfNotExists, Disabled

Deprecated

true

[Deprecated]: Unattached disks should be encrypted

2c89a2e5-7285-40fe-afe0-ae8654b92fb2

Compute

1.0.0 (1.0.0-deprecated)

1x
1.0.0

Default
Audit
Allowed
Audit, Disabled

Deprecated

true

[Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources

0961003e-5a0a-4549-abde-af6a37f2724d

Security Center

2.1.0 (2.1.0-deprecated)

2x
2.1.0, 2.0.3

Default
Disabled
Allowed
AuditIfNotExists, Disabled

Deprecated

true

[Preview]: All Internet traffic should be routed via your deployed Azure Firewall

fc5e4038-4584-4632-8c85-c0448d374b2c

Network

3.0.0-preview

1x
3.0.0-preview

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

Preview

unknown

[Preview]: Container Registry should use a virtual network service endpoint

c4857be7-912a-4c75-87e6-e30292bcdf78

Network

1.0.0-preview

1x
1.0.0-preview

Default
Audit
Allowed
Audit, Disabled

Preview

true

A maximum of 3 owners should be designated for your subscription

4f11b553-d42e-4e3a-89be-32ca364cad4c

Security Center

3.0.0

1x
3.0.0

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

true

A vulnerability assessment solution should be enabled on your virtual machines

501541f7-f7e7-4cd6-868c-4190fdad3ac9

Security Center

3.0.0

1x
3.0.0

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

true

Role

Role Id

#Policies

Policies

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities, Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity, Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs

Date/Time (UTC ymd) (i)

Changes

2025-05-09 17:29:42

Version change: '14.7.0-deprecated' to '14.8.0-deprecated'
remove Policy [Deprecated]: Virtual machines should have the Log Analytics extension installed (a70ca396-0a34-413a-88e1-b956c1e683be)

2025-03-12 18:29:00

Version change: '14.6.0-deprecated' to '14.7.0-deprecated'
remove Policy [Deprecated]: Vulnerabilities in security configuration on your machines should be remediated (e1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15)

2024-10-15 17:53:51

Version change: '14.5.0-deprecated' to '14.6.0-deprecated'
remove Policy [Deprecated]: System updates on virtual machine scale sets should be installed (c3f317a7-a95c-4547-b7e7-11017ebdf2fe)
remove Policy [Deprecated]: System updates should be installed on your machines (86b3d65f-7626-441e-b690-81a8b71cff60)

2024-09-05 17:48:45

Version change: '14.4.0-deprecated' to '14.5.0-deprecated'
remove Policy [Deprecated]: Adaptive network hardening recommendations should be applied on internet facing virtual machines (08e6af2d-db70-460a-bfe9-d5bd474ba9d6)
remove Policy [Deprecated]: Auto provisioning of the Log Analytics agent should be enabled on your subscription (475aae12-b88a-4572-8b36-9b712b2b3a17)
remove Policy [Deprecated]: Vulnerabilities in security configuration on your virtual machine scale sets should be remediated (3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4)
remove Policy [Deprecated]: Vulnerabilities in container security configurations should be remediated (e8cbc669-f12d-49eb-93e7-9273119e9933)
remove Policy [Deprecated]: Adaptive application controls for defining safe applications should be enabled on your machines (47a6b606-51aa-4496-8bb7-64b11cf66adc)

2024-08-29 17:47:54

Version change: '14.3.0-deprecated' to '14.4.0-deprecated'
remove Policy [Deprecated]: Endpoint protection solution should be installed on virtual machine scale sets (26a828e1-e88f-464e-bbb3-c134a282b9de)
remove Policy [Deprecated]: Monitor missing Endpoint Protection in Azure Security Center (af6cd1bd-1635-48cb-bde7-5b15693900b9)

2023-12-12 19:47:53

add Policy App Service apps should have Client Certificates (Incoming client certificates) enabled (19dd1db6-f442-49cf-a838-b0786b4401ef)
Version change: '14.2.0-deprecated' to '14.3.0-deprecated'
remove Policy [Deprecated]: App Service apps should have 'Client Certificates (Incoming client certificates)' enabled (5bb220d9-2698-4ee4-8404-b9c30c9df609)

2023-05-04 17:45:12

add Policy Guest accounts with write permissions on Azure resources should be removed (94e1c2ac-cbbe-4cac-a2b5-389c812dee87)
add Policy Guest accounts with owner permissions on Azure resources should be removed (339353f6-2387-4a45-abe4-7f529d121046)
add Policy Guest accounts with read permissions on Azure resources should be removed (e9ac8f8e-ce22-4355-8f04-99b911d6be52)
add Policy [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled (931e118d-50a1-4457-a5e4-78550e086c52)
add Policy Blocked accounts with owner permissions on Azure resources should be removed (0cfea604-3201-4e14-88fc-fae4c427a6c5)
add Policy [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled (e3e008c3-56b9-4133-8fd7-d3347377402a)
add Policy Blocked accounts with read and write permissions on Azure resources should be removed (8d7e1fde-fe26-4b5f-8108-f8e432cbc2be)
add Policy [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled (81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4)
Version change: '14.0.0-deprecated' to '14.2.0-deprecated'
remove Policy [Deprecated]: MFA should be enabled on accounts with read permissions on your subscription (e3576e28-8b17-4677-84c3-db2990658d64)
remove Policy [Deprecated]: External accounts with owner permissions should be removed from your subscription (f8456c1c-aa66-4dfb-861a-25d127b775c9)
remove Policy [Deprecated]: Deprecated accounts with owner permissions should be removed from your subscription (ebb62a0c-3560-49e1-89ed-27e074e9f8ad)
remove Policy [Deprecated]: External accounts with read permissions should be removed from your subscription (5f76cf89-fbf2-47fd-a3f4-b891fa780b60)
remove Policy App Service apps that use PHP should use a specified 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3)
remove Policy [Deprecated]: MFA should be enabled for accounts with write permissions on your subscription (9297c21d-2ed6-4474-b48f-163f75654ce3)
remove Policy App Service apps that use Python should use a specified 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73)
remove Policy [Deprecated]: External accounts with write permissions should be removed from your subscription (5c607a2e-c700-4744-8254-d77e7c9eb5e4)
remove Policy [Deprecated]: Deprecated accounts should be removed from your subscription (6b1cbf55-e8b6-442f-ba4c-7246b6381474)
remove Policy Function apps that use Python should use a specified 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73)
remove Policy App Service apps that use Java should use a specified 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed)
remove Policy Function apps that use Java should use a specified 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc)
remove Policy [Deprecated]: MFA should be enabled on accounts with owner permissions on your subscription (aa633080-8b72-40c4-a2d7-d00c03e80bed)

2022-07-07 16:32:14

2022-06-10 16:31:22

Version change: '11.0.0-deprecated' to '13.0.0-deprecated'
remove Policy [Deprecated]: API App should only be accessible over HTTPS (b7ddfbdc-1260-477d-91fd-98bd9be789a6)

2022-01-13 19:18:29

add Policy App Service apps should have resource logs enabled (91a78b24-f231-4a8a-8da9-02c35b2b6510)
remove Policy [Deprecated]: Diagnostic logs in App Services should be enabled (b607c5de-e7d9-4eee-9e5c-83f1bcee4fa0)

2021-12-08 16:24:23

add Policy SQL managed instances should use customer-managed keys to encrypt data at rest (ac01ad65-10e5-46df-bdd9-6b0cad13e1d2)
add Policy SQL servers should use customer-managed keys to encrypt data at rest (0a370ff3-6cab-4e85-8995-295fd854c5b8)
remove Policy [Deprecated]: SQL managed instances should use customer-managed keys to encrypt data at rest (048248b0-55cd-46da-b1ff-39efd52db260)
remove Policy [Deprecated]: SQL servers should use customer-managed keys to encrypt data at rest (0d134df8-db83-46fb-ad72-fe0c9428c8dd)
remove Policy [Deprecated]: Sensitive data in your SQL databases should be classified (cc9835f2-9f6b-4cc8-ab4a-f8ef615eb349)

2021-06-22 14:29:04

remove Policy [Deprecated]: Service Bus should use a virtual network service endpoint (235359c5-7c52-4b82-9055-01c75cf9f60e)

2021-02-09 14:46:37

Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Azure Security Benchmark v1 recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/azsecbm.' to 'This initiative has been deprecated. The Azure Security Benchmark initiative now represents the Azure Security Benchmark v2 controls, and serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center.'

2021-01-22 09:14:56

Name change: '[Preview]: Azure Security Benchmark v1' to '[Deprecated]: Azure Security Benchmark v1'
remove Policy [Deprecated]: A security contact phone number should be provided for your subscription (b4d66858-c922-44e3-9566-5cdb7a7be744)
remove Policy [Deprecated]: Vulnerabilities should be remediated by a Vulnerability Assessment solution (760a85ff-6162-42b3-8d70-698e268f648c)

2021-01-13 16:08:35

Description change: 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Azure Security Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/azsecbm.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Azure Security Benchmark v1 recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/azsecbm.'
Name change: '[Preview]: Azure Security Benchmark' to '[Preview]: Azure Security Benchmark v1'

2020-09-15 14:06:41

remove Policy [Deprecated]: Pod Security Policies should be defined on Kubernetes Services (3abeb944-26af-43ee-b83d-32aaf060fb94)

2020-09-09 11:24:08

2020-09-02 14:03:46

remove Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app (ab965db2-d2bf-4b64-8b39-c38ec8179461)
remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app (c2e7ca55-f62c-49b2-89a4-d41eb661d2f0)
remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app (843664e0-7563-41ee-a9cb-7522c382d2c4)
remove Policy [Deprecated]: Ensure that Register with Azure Active Directory is enabled on WEB App (aa81768c-cb87-4ce2-bfaa-00baa10d760c)
remove Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App (10c1859c-e1a7-4df3-ab97-a487fa8059f6)
remove Policy [Deprecated]: Ensure that Register with Azure Active Directory is enabled on Function App (f0473e7a-a1ba-4e86-afb2-e829e11b01d8)
remove Policy [Deprecated]: Ensure that Register with Azure Active Directory is enabled on API app (86d97760-d216-4d81-a3ad-163087b2b6c3)

2020-08-21 13:50:30

2020-07-01 14:50:07

remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL server advanced data security settings (c8343d2f-fdc9-4a97-b76f-fc71d1163bfc)
remove Policy [Deprecated]: Email notifications to admins should be enabled in SQL Managed Instance advanced data security settings (aeb23562-188d-47cb-80b8-551f16ef9fff)
remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL server Advanced Data Security settings (e756b945-1b1b-480b-8de8-9a0859d5f7ad)
remove Policy [Deprecated]: Advanced data security settings for SQL Managed Instance should contain an email address for security alerts (3965c43d-b5f4-482e-b74a-d89ee0e0b3a8)
remove Policy [Deprecated]: Advanced Threat Protection types should be set to 'All' in SQL Managed Instance advanced data security settings (bda18df3-5e41-4709-add9-2554ce68c966)
remove Policy [Deprecated]: Advanced data security settings for SQL server should contain an email address to receive security alerts (9677b740-f641-4f3c-b9c5-466005c85278)

2020-06-16 14:55:25

Description change: 'This initiative includes audit and VM Extension deployment policies that address a subset of Azure Security Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, please visit https://aka.ms/azsecbm.' to 'This initiative includes audit and virtual machine extension deployment policies that address a subset of Azure Security Benchmark recommendations. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/azsecbm.'
Name change: '[Preview]: Audit Azure Security Benchmark recommendations and deploy specific supporting VM Extensions' to '[Preview]: Azure Security Benchmark'

2020-06-11 19:46:04

add Policy SQL servers with auditing to storage account destination should be configured with 90 days retention or higher (89099bee-89e0-4b26-a5f4-165451757743)
add Policy Function apps should require FTPS only (399b2637-a50f-4f95-96f8-3a145476eb15)
add Policy Private endpoint should be enabled for MySQL servers (7595c971-233d-4bcf-bd18-596129188c49)
add Policy App Service apps should require FTPS only (4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b)
add Policy SQL Auditing settings should have Action-Groups configured to capture critical activities (7ff426e2-515f-405a-91c8-4f2333442eb5)
add Policy Private endpoint should be enabled for PostgreSQL servers (0564d078-92f5-4f97-8398-b9f58a51f70b)
add Policy [Deprecated]: FTPS only should be required in your API App (9a1b8c48-453a-4044-86c3-d8bfd823e4f5)
add Policy [Preview]: All Internet traffic should be routed via your deployed Azure Firewall (fc5e4038-4584-4632-8c85-c0448d374b2c)
add Policy Private endpoint should be enabled for MariaDB servers (0a1302fb-a631-4106-9753-f3d494733990)
remove Policy [Deprecated]: Vulnerability Assessment settings for SQL server should contain an email address to receive scan reports (057d6cfe-9c4f-4a6d-bc60-14420ea1f1a9)
remove Policy Security Center standard pricing tier should be selected (a1181c5f-672a-477a-979a-7d58aa086233)

2020-03-03 10:09:24

add Policy [Deprecated]: API apps that use Python should use the latest 'Python version' (74c3584d-afae-46f7-a20a-6f8adba71a16)
add Policy App Service apps that use Java should use a specified 'Java version' (496223c3-ad65-4ecd-878a-bae78737e9ed)
add Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the API app (1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba)
add Policy App Service apps that use PHP should use a specified 'PHP version' (7261b898-8a84-4db8-9e04-18527132abb3)
add Policy Function apps that use Java should use a specified 'Java version' (9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc)
add Policy Function apps that use Python should use a specified 'Python version' (7238174a-fd10-4ef0-817e-fc820a951d73)
add Policy [Deprecated]: Ensure that 'PHP version' is the latest, if used as a part of the Function app (ab965db2-d2bf-4b64-8b39-c38ec8179461)
add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the API app (c2e7ca55-f62c-49b2-89a4-d41eb661d2f0)
add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Web app (843664e0-7563-41ee-a9cb-7522c382d2c4)
add Policy [Deprecated]: Ensure that '.NET Framework' version is the latest, if used as a part of the Function App (10c1859c-e1a7-4df3-ab97-a487fa8059f6)
add Policy [Deprecated]: Ensure that 'Java version' is the latest, if used as a part of the API app (88999f4c-376a-45c8-bcb3-4058f713cf39)
add Policy App Service apps that use Python should use a specified 'Python version' (7008174a-fd10-4ef0-817e-fc820a951d73)
add Policy Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version (fb893a29-21bb-418c-a157-e99480ec364c)
remove Policy Azure Monitor solution 'Security and Audit' must be deployed (3e596b57-105f-48a6-be97-03e9243bad6e)
remove Policy Microsoft IaaSAntimalware extension should be deployed on Windows servers (9b597639-28e4-48eb-b506-56b05d366257)

2020-02-05 07:51:53

add Initiative 42a694ed-f65e-42b2-aa9e-8052e9740a92

{

displayName: "[Deprecated]: Azure Security Benchmark v1",
policyType: "BuiltIn",
description: "This initiative has been deprecated. The Azure Security Benchmark initiative now represents the Azure Security Benchmark v2 controls, and serves as the Azure Security Center default policy initiative. Please assign that initiative, or manage its policies and compliance results within Azure Security Center.",
metadata: {3 items
- version: "14.8.0-deprecated",
- deprecated: true,
- category: "Regulatory Compliance"
},
version: "14.8.0",
parameters: {14 items
- IncludeArcMachines: {4 items
  - type: "String",
  - metadata: {2 items
    - displayName: "Include Arc connected servers for Guest Configuration policies",
    - description: "Optionally choose to audit settings inside Arc connected servers using Guest Configuration policies. By selecting this option, you agree to be charged monthly per Arc connected machine."
    },
  - allowedValues: [2 items
    - "true",
    - "false"
    ],
  - defaultValue: "false"
  },
- listOfMembersToExcludeFromWindowsVMAdministratorsGroup: {2 items
  - type: "String",
  - metadata: {2 items
    - displayName: "List of users excluded from Windows VM Administrators group",
    - description: "A semicolon-separated list of members that should be excluded in the Administrators local group. Ex: Administrator; myUser1; myUser2"
    }
  },
- listOfMembersToIncludeInWindowsVMAdministratorsGroup: {2 items
  - type: "String",
  - metadata: {2 items
    - displayName: "List of users that must be included in Windows VM Administrators group",
    - description: "A semicolon-separated list of members that should be included in the Administrators local group. Ex: Administrator; myUser1; myUser2"
    }
  },
- listOfOnlyMembersInWindowsVMAdministratorsGroup: {2 items
  - type: "String",
  - metadata: {2 items
    - displayName: "List of users that Windows VM Administrators group must *only* include",
    - description: "A semicolon-separated list of all the expected members of the Administrators local group. Ex: Administrator; myUser1; myUser2"
    }
  },
- listOfRegionsWhereNetworkWatcherShouldBeEnabled: {3 items
  - type: "Array",
  - metadata: {4 items
    - displayName: "[Deprecated]: List of regions where Network Watcher should be enabled",
    - description: "To see a complete list of regions use Get-AzLocation",
    - strongType: "location",
    - deprecated: true
    },
  - defaultValue: [41 items
    - "australiacentral",
    - "australiacentral2",
    - "australiaeast",
    - "australiasoutheast",
    - "brazilsouth",
    - "canadacentral",
    - "canadaeast",
    - "centralindia",
    - "centralus",
    - "eastasia",
    - "eastus",
    - "eastus2",
    - "francecentral",
    - "francesouth",
    - "germanynorth",
    - "germanywestcentral",
    - "global",
    - "japaneast",
    - "japanwest",
    - "koreacentral",
    - "koreasouth",
    - "northcentralus",
    - "northeurope",
    - "norwayeast",
    - "norwaywest",
    - "southafricanorth",
    - "southafricawest",
    - "southcentralus",
    - "southeastasia",
    - "southindia",
    - "switzerlandnorth",
    - "switzerlandwest",
    - "uaecentral",
    - "uaenorth",
    - "uksouth",
    - "ukwest",
    - "westcentralus",
    - "westeurope",
    - "westindia",
    - "westus",
    - "westus2"
    ]
  },
- NetworkWatcherResourceGroupName: {3 items
  - type: "String",
  - metadata: {2 items
    - displayName: "NetworkWatcher resource group name",
    - description: "Name of the resource group of NetworkWatcher, such as NetworkWatcherRG"
    },
  - defaultValue: "NetworkWatcherRG"
  },
- approvedVirtualNetworkForVMs: {2 items
  - type: "String",
  - metadata: {3 items
    - displayName: "Virtual network where VMs should be connected",
    - description: "Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name",
    - strongType: "Microsoft.Network/virtualNetworks"
    }
  },
- approvedNetworkGatewayforVirtualNetworks: {2 items
  - type: "String",
  - metadata: {3 items
    - displayName: "Network gateway that virtual networks should use",
    - description: "Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroup/providers/Microsoft.Network/virtualNetworkGateways/Name",
    - strongType: "Microsoft.Network/virtualNetworkGateways"
    }
  },
- listOfWorkspaceIDsForLogAnalyticsAgent: {2 items
  - type: "String",
  - metadata: {2 items
    - displayName: "List of workspace IDs where Log Analytics agents should connect",
    - description: "A semicolon-separated list of the workspace IDs that the Log Analytics agent should be connected to"
    }
  },
- listOfResourceTypesWithDiagnosticLogsEnabled: {4 items
  - type: "Array",
  - metadata: {2 items
    - displayName: "List of resource types that should have resource logs enabled",
    - description: "Audit diagnostic setting for selected resource types"
    },
  - allowedValues: [46 items
    - "Microsoft.AnalysisServices/servers",
    - "Microsoft.ApiManagement/service",
    - "Microsoft.Network/applicationGateways",
    - "Microsoft.Automation/automationAccounts",
    - "Microsoft.ContainerInstance/containerGroups",
    - "Microsoft.ContainerRegistry/registries",
    - "Microsoft.ContainerService/managedClusters",
    - "Microsoft.Batch/batchAccounts",
    - "Microsoft.Cdn/profiles/endpoints",
    - "Microsoft.CognitiveServices/accounts",
    - "Microsoft.DocumentDB/databaseAccounts",
    - "Microsoft.DataFactory/factories",
    - "Microsoft.DataLakeAnalytics/accounts",
    - "Microsoft.DataLakeStore/accounts",
    - "Microsoft.EventGrid/eventSubscriptions",
    - "Microsoft.EventGrid/topics",
    - "Microsoft.EventHub/namespaces",
    - "Microsoft.Network/expressRouteCircuits",
    - "Microsoft.Network/azureFirewalls",
    - "Microsoft.HDInsight/clusters",
    - "Microsoft.Devices/IotHubs",
    - "Microsoft.KeyVault/vaults",
    - "Microsoft.Network/loadBalancers",
    - "Microsoft.Logic/integrationAccounts",
    - "Microsoft.Logic/workflows",
    - "Microsoft.DBforMySQL/servers",
    - "Microsoft.Network/networkInterfaces",
    - "Microsoft.Network/networkSecurityGroups",
    - "Microsoft.DBforPostgreSQL/servers",
    - "Microsoft.PowerBIDedicated/capacities",
    - "Microsoft.Network/publicIPAddresses",
    - "Microsoft.RecoveryServices/vaults",
    - "Microsoft.Cache/redis",
    - "Microsoft.Relay/namespaces",
    - "Microsoft.Search/searchServices",
    - "Microsoft.ServiceBus/namespaces",
    - "Microsoft.SignalRService/SignalR",
    - "Microsoft.Sql/servers/databases",
    - "Microsoft.Sql/servers/elasticPools",
    - "Microsoft.StreamAnalytics/streamingjobs",
    - "Microsoft.TimeSeriesInsights/environments",
    - "Microsoft.Network/trafficManagerProfiles",
    - "Microsoft.Compute/virtualMachines",
    - "Microsoft.Compute/virtualMachineScaleSets",
    - "Microsoft.Network/virtualNetworks",
    - "Microsoft.Network/virtualNetworkGateways"
    ],
  - defaultValue: [46 items
    - "Microsoft.AnalysisServices/servers",
    - "Microsoft.ApiManagement/service",
    - "Microsoft.Network/applicationGateways",
    - "Microsoft.Automation/automationAccounts",
    - "Microsoft.ContainerInstance/containerGroups",
    - "Microsoft.ContainerRegistry/registries",
    - "Microsoft.ContainerService/managedClusters",
    - "Microsoft.Batch/batchAccounts",
    - "Microsoft.Cdn/profiles/endpoints",
    - "Microsoft.CognitiveServices/accounts",
    - "Microsoft.DocumentDB/databaseAccounts",
    - "Microsoft.DataFactory/factories",
    - "Microsoft.DataLakeAnalytics/accounts",
    - "Microsoft.DataLakeStore/accounts",
    - "Microsoft.EventGrid/eventSubscriptions",
    - "Microsoft.EventGrid/topics",
    - "Microsoft.EventHub/namespaces",
    - "Microsoft.Network/expressRouteCircuits",
    - "Microsoft.Network/azureFirewalls",
    - "Microsoft.HDInsight/clusters",
    - "Microsoft.Devices/IotHubs",
    - "Microsoft.KeyVault/vaults",
    - "Microsoft.Network/loadBalancers",
    - "Microsoft.Logic/integrationAccounts",
    - "Microsoft.Logic/workflows",
    - "Microsoft.DBforMySQL/servers",
    - "Microsoft.Network/networkInterfaces",
    - "Microsoft.Network/networkSecurityGroups",
    - "Microsoft.DBforPostgreSQL/servers",
    - "Microsoft.PowerBIDedicated/capacities",
    - "Microsoft.Network/publicIPAddresses",
    - "Microsoft.RecoveryServices/vaults",
    - "Microsoft.Cache/redis",
    - "Microsoft.Relay/namespaces",
    - "Microsoft.Search/searchServices",
    - "Microsoft.ServiceBus/namespaces",
    - "Microsoft.SignalRService/SignalR",
    - "Microsoft.Sql/servers/databases",
    - "Microsoft.Sql/servers/elasticPools",
    - "Microsoft.StreamAnalytics/streamingjobs",
    - "Microsoft.TimeSeriesInsights/environments",
    - "Microsoft.Network/trafficManagerProfiles",
    - "Microsoft.Compute/virtualMachines",
    - "Microsoft.Compute/virtualMachineScaleSets",
    - "Microsoft.Network/virtualNetworks",
    - "Microsoft.Network/virtualNetworkGateways"
    ]
  },
- PHPLatestVersion: {3 items
  - type: "String",
  - metadata: {3 items
    - displayName: "[Deprecated]: Latest PHP version",
    - description: "Latest supported PHP version for App Services",
    - deprecated: true
    },
  - defaultValue: "7.3"
  },
- JavaLatestVersion: {3 items
  - type: "String",
  - metadata: {3 items
    - displayName: "[Deprecated]: Latest Java version",
    - description: "Latest supported Java version for App Services",
    - deprecated: true
    },
  - defaultValue: "11"
  },
- WindowsPythonLatestVersion: {3 items
  - type: "String",
  - metadata: {3 items
    - displayName: "[Deprecated]: Latest Windows Python version",
    - description: "Latest supported Python version for App Services",
    - deprecated: true
    },
  - defaultValue: "3.6"
  },
- LinuxPythonLatestVersion: {3 items
  - type: "String",
  - metadata: {3 items
    - displayName: "[Deprecated]: Latest Linux Python version",
    - description: "Latest supported Python version for App Services",
    - deprecated: true
    },
  - defaultValue: "3.8"
  }
},
policyDefinitions: [107 items
- {5 items
  - policyDefinitionReferenceId: "013e242c-8828-4970-87b3-ab247555486d",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/013e242c-8828-4970-87b3-ab247555486d Azure Backup should be enabled for Virtual Machines ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_9.1",
    - "Azure_Security_Benchmark_v1.0_9.2"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "ac01ad65-10e5-46df-bdd9-6b0cad13e1d2",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2 SQL managed instances should use customer-managed keys to encrypt data at rest ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.8"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "057ef27e-665e-4328-8ea3-04b3122bd9fb",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/057ef27e-665e-4328-8ea3-04b3122bd9fb Resource logs in Azure Data Lake Store should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0820b7b9-23aa-4725-a1ce-ae4558f718e5",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0820b7b9-23aa-4725-a1ce-ae4558f718e5 Function apps should not have CORS configured to allow every resource to access your apps ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "09024ccc-0c5f-475e-9457-b7c0d9ed487b",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/09024ccc-0c5f-475e-9457-b7c0d9ed487b There should be more than one owner assigned to your subscription ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_3.1",
    - "Azure_Security_Benchmark_v1.0_3.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0961003e-5a0a-4549-abde-af6a37f2724d",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d [Deprecated]: Virtual machines should encrypt temp disks, caches, and data flows between Compute and Storage resources ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.8"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53 Key vaults should have deletion protection enabled ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_7.11",
    - "Azure_Security_Benchmark_v1.0_9.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0a370ff3-6cab-4e85-8995-295fd854c5b8",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8 SQL servers should use customer-managed keys to encrypt data at rest ,
  - definitionVersion: 2.*.*2.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.8"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0da106f2-4ca3-48e8-bc85-c638fe6aea8f",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0da106f2-4ca3-48e8-bc85-c638fe6aea8f Function apps should use managed identity ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_7.12"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0e246bcf-5f6f-4f87-bc6f-775d4712c7ea",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0e246bcf-5f6f-4f87-bc6f-775d4712c7ea Authorized IP ranges should be defined on Kubernetes Services ,
  - definitionVersion: 2.*.*2.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0e60b895-3786-45da-8377-9c6b4b6ac5f9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0e60b895-3786-45da-8377-9c6b4b6ac5f9 Function apps should have remote debugging turned off ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0ec47710-77ff-4a3d-9181-6aa50af424d0",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0ec47710-77ff-4a3d-9181-6aa50af424d0 Geo-redundant backup should be enabled for Azure Database for MariaDB ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_9.1",
    - "Azure_Security_Benchmark_v1.0_9.2"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f Audit Windows machines that have the specified members in the Administrators group ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {2 items
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      },
    - MembersToExclude: {1 item
      - value: "[parameters('listOfMembersToExcludeFromWindowsVMAdministratorsGroup')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "17k78e20-9358-41c9-923c-fb736d382a12",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12 Transparent Data Encryption on SQL databases should be enabled ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.8"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "1a4e592a-6a6e-44a5-9814-e36264ca96e7",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1a4e592a-6a6e-44a5-9814-e36264ca96e7 Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.2"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "1b7aa243-30e4-4c9e-bca8-d0d3022b634a",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1b7aa243-30e4-4c9e-bca8-d0d3022b634a Vulnerability assessment should be enabled on SQL Managed Instance ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_5.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "1d84d5fb-01f6-4d12-ba4f-4a26081d403d",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1d84d5fb-01f6-4d12-ba4f-4a26081d403d Virtual machines should be migrated to new Azure Resource Manager resources ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_6.9"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "1f314764-cb73-4fc9-b863-8eca98ac36e9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1f314764-cb73-4fc9-b863-8eca98ac36e9 An Azure Active Directory administrator should be provisioned for SQL servers ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.9"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "22730e10-96f6-4aac-ad84-9383d35b5917",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917 Management ports should be closed on your virtual machines ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "22bee202-a82f-4305-9a2a-6d7f44d4dedb",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/22bee202-a82f-4305-9a2a-6d7f44d4dedb Only secure connections to your Azure Cache for Redis should be enabled ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "2b9ad585-36bc-4615-b300-fd4435808332",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2b9ad585-36bc-4615-b300-fd4435808332 App Service apps should use managed identity ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_7.12"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "2c89a2e5-7285-40fe-afe0-ae8654b92fb2",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2c89a2e5-7285-40fe-afe0-ae8654b92fb2 [Deprecated]: Unattached disks should be encrypted ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.8"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "2d21331d-a4c2-4def-a9ad-ee4e1e023beb",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2d21331d-a4c2-4def-a9ad-ee4e1e023beb App Service apps should use a virtual network service endpoint ,
  - definitionVersion: 2.*.*2.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "34c877ad-507e-4c82-993e-3452a6e0ad3c",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c Storage accounts should restrict network access ,
  - definitionVersion: 1.*.*1.1.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "34f95f76-5386-4de7-b824-0d8478470c9d",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/34f95f76-5386-4de7-b824-0d8478470c9d Resource logs in Logic Apps should be enabled ,
  - definitionVersion: 5.*.*5.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "3657f5a0-770e-44a3-b44e-9431ba1e9735",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735 Automation account variables should be encrypted ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.8"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "3cf2ab00-13f1-4d0c-8971-2ac904541a7e",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities ,
  - definitionVersion: 4.*.*4.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.11"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "497dff13-db2a-4c0f-8603-28fa3b331ab6",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/497dff13-db2a-4c0f-8603-28fa3b331ab6 Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity ,
  - definitionVersion: 4.*.*4.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.11"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "385f5831-96d4-41db-9a3c-cd3af78aaae6",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6 Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs ,
  - definitionVersion: 1.*.*1.3.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.11"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "1221c620-d201-468c-81e7-2817e6107e84",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1221c620-d201-468c-81e7-2817e6107e84 Windows machines should meet requirements for 'Security Options - Network Security' ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.11"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "37e0d2fe-28a5-43d6-a273-67d37d1f5606",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606 Storage accounts should be migrated to new Azure Resource Manager resources ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_6.9"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "383856f8-de7f-44a2-81fc-e5135b5c2aa4",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/383856f8-de7f-44a2-81fc-e5135b5c2aa4 Resource logs in IoT Hub should be enabled ,
  - definitionVersion: 3.*.*3.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "404c3081-a854-4457-ae30-26a93ef643f9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9 Secure transfer to storage accounts should be enabled ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "41388f1c-2db0-4c25-95b2-35d7f5ccbfa9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/41388f1c-2db0-4c25-95b2-35d7f5ccbfa9 Azure Monitor should collect activity logs from all regions ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_2.2",
    - "Azure_Security_Benchmark_v1.0_4.9"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "428256e6-1fac-4f48-a757-df34c2b3336d",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/428256e6-1fac-4f48-a757-df34c2b3336d Resource logs in Batch accounts should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "48af4db5-9b8b-401c-8e74-076be876a430",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/48af4db5-9b8b-401c-8e74-076be876a430 Geo-redundant backup should be enabled for Azure Database for PostgreSQL ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_9.1",
    - "Azure_Security_Benchmark_v1.0_9.2"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "4f11b553-d42e-4e3a-89be-32ca364cad4c",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c A maximum of 3 owners should be designated for your subscription ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_3.1",
    - "Azure_Security_Benchmark_v1.0_3.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7 Subscriptions should have a contact email address for security issues ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_10.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "501541f7-f7e7-4cd6-868c-4190fdad3ac9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/501541f7-f7e7-4cd6-868c-4190fdad3ac9 A vulnerability assessment solution should be enabled on your virtual machines ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_5.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "5744710e-cc2f-4ee8-8809-3b11e89f4bc9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5744710e-cc2f-4ee8-8809-3b11e89f4bc9 App Service apps should not have CORS configured to allow every resource to access your apps ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "19dd1db6-f442-49cf-a838-b0786b4401ef",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/19dd1db6-f442-49cf-a838-b0786b4401ef App Service apps should have Client Certificates (Incoming client certificates) enabled ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "94e1c2ac-cbbe-4cac-a2b5-389c812dee87",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/94e1c2ac-cbbe-4cac-a2b5-389c812dee87 Guest accounts with write permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.10"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "e9ac8f8e-ce22-4355-8f04-99b911d6be52",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e9ac8f8e-ce22-4355-8f04-99b911d6be52 Guest accounts with read permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.10"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "60d21c4f-21a3-4d94-85f4-b924e6aeeda4",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/60d21c4f-21a3-4d94-85f4-b924e6aeeda4 Storage Accounts should use a virtual network service endpoint ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "617c02be-7f02-4efd-8836-3180d47b6c68",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/617c02be-7f02-4efd-8836-3180d47b6c68 Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.8"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "6265018c-d7e2-432f-a75d-094d5f6f4465",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/6265018c-d7e2-432f-a75d-094d5f6f4465 Audit Windows machines on which the Log Analytics agent is not connected as expected ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {2 items
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      },
    - WorkspaceId: {1 item
      - value: "[parameters('listOfWorkspaceIDsForLogAnalyticsAgent')]"
      }
    },
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_2.2",
    - "Azure_Security_Benchmark_v1.0_2.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "8d7e1fde-fe26-4b5f-8108-f8e432cbc2be",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8d7e1fde-fe26-4b5f-8108-f8e432cbc2be Blocked accounts with read and write permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.10"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab Function apps should only be accessible over HTTPS ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "7c1b1214-f927-48bf-8882-84f0af6588b1",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/7c1b1214-f927-48bf-8882-84f0af6588b1 [Deprecated]: Resource logs in Virtual Machine Scale Sets should be enabled ,
  - definitionVersion: 2.*.*2.2.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "7f89b1eb-583c-429a-8828-af049802c1d9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/7f89b1eb-583c-429a-8828-af049802c1d9 Audit diagnostic setting for selected resource types ,
  - definitionVersion: 2.*.*2.0.1,
  - parameters: {1 item
    - listOfResourceTypes: {1 item
      - value: "[parameters('listOfResourceTypesWithDiagnosticLogsEnabled')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "82339799-d096-41ae-8538-b108becf0970",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/82339799-d096-41ae-8538-b108becf0970 Geo-redundant backup should be enabled for Azure Database for MySQL ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_9.1",
    - "Azure_Security_Benchmark_v1.0_9.2"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "83a214f7-d01a-484b-91a9-ed54470c9a6a",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/83a214f7-d01a-484b-91a9-ed54470c9a6a Resource logs in Event Hub should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "caf2d518-f029-4f6b-833b-d7081702f253",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/caf2d518-f029-4f6b-833b-d7081702f253 Windows machines should meet requirements for 'Security Options - Microsoft Network Server' ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.11"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "931e118d-50a1-4457-a5e4-78550e086c52",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/931e118d-50a1-4457-a5e4-78550e086c52 [Deprecated]: Accounts with write permissions on Azure resources should be MFA enabled ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.5"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7 Audit Windows machines missing any of specified members in the Administrators group ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {2 items
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      },
    - MembersToInclude: {1 item
      - value: "[parameters('listOfMembersToIncludeInWindowsVMAdministratorsGroup')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "67e010c1-640d-438e-a3a5-feaccb533a98",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/67e010c1-640d-438e-a3a5-feaccb533a98 Windows machines should meet requirements for 'Administrative Templates - Network' ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.11"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "a451c1ef-c6ca-483d-87ed-f49761e3ffb5",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a451c1ef-c6ca-483d-87ed-f49761e3ffb5 Audit usage of custom RBAC roles ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.6"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "a4af4a39-4135-47fb-b175-47fbdf85311d",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d App Service apps should only be accessible over HTTPS ,
  - definitionVersion: 4.*.*4.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9 Auditing on SQL server should be enabled ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "a7aca53f-2ed4-4466-a25e-0b45ade68efd",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a7aca53f-2ed4-4466-a25e-0b45ade68efd Azure DDoS Protection should be enabled ,
  - definitionVersion: 3.*.*3.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "e3e008c3-56b9-4133-8fd7-d3347377402a",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e3e008c3-56b9-4133-8fd7-d3347377402a [Deprecated]: Accounts with owner permissions on Azure resources should be MFA enabled ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.5"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/abfb4388-5bf4-4ad7-ba82-2cd2f41ceae9 Azure Defender for SQL should be enabled for unprotected Azure SQL servers ,
  - definitionVersion: 2.*.*2.0.1,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_2.7",
    - "Azure_Security_Benchmark_v1.0_4.5"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/abfb7388-5bf4-4ad7-ba99-2cd2f41cebb9 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances ,
  - definitionVersion: 1.*.*1.0.2,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_2.7",
    - "Azure_Security_Benchmark_v1.0_4.5"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "ac4a19c2-fa67-49b4-8ae5-0b2e78c49457",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ac4a19c2-fa67-49b4-8ae5-0b2e78c49457 Role-Based Access Control (RBAC) should be used on Kubernetes Services ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.6"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "ae5d2f14-d830-42b6-9899-df6cfe9c71a3",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ae5d2f14-d830-42b6-9899-df6cfe9c71a3 SQL Server should use a virtual network service endpoint ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "b0f33259-77d7-4c9e-aac6-3aabcfae693c",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b0f33259-77d7-4c9e-aac6-3aabcfae693c Management ports of virtual machines should be protected with just-in-time network access control ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_1.1",
    - "Azure_Security_Benchmark_v1.0_1.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "b4330a05-a843-4bc8-bf9a-cacce50c67f4",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4 Resource logs in Search services should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "b54ed75b-3e1a-44ac-a333-05ba39b99ff0",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b54ed75b-3e1a-44ac-a333-05ba39b99ff0 Service Fabric clusters should only use Azure Active Directory for client authentication ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.9"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "91a78b24-f231-4a8a-8da9-02c35b2b6510",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/91a78b24-f231-4a8a-8da9-02c35b2b6510 App Service apps should have resource logs enabled ,
  - definitionVersion: 2.*.*2.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "b6e2945c-0b7b-40f5-9233-7a5323b5cdc6",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/b6e2945c-0b7b-40f5-9233-7a5323b5cdc6 Network Watcher should be enabled ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {1 item
    - resourceGroupName: {1 item
      - value: "[parameters('NetworkWatcherResourceGroupName')]"
      }
    },
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_1.2",
    - "Azure_Security_Benchmark_v1.0_1.5"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "3d2a3320-2a72-4c67-ac5f-caa40fbee2b2",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3d2a3320-2a72-4c67-ac5f-caa40fbee2b2 Audit Windows machines that have extra accounts in the Administrators group ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {2 items
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      },
    - Members: {1 item
      - value: "[parameters('listOfOnlyMembersInWindowsVMAdministratorsGroup')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "bd352bd5-2853-4985-bf0d-73806b4a5744",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/bd352bd5-2853-4985-bf0d-73806b4a5744 IP Forwarding on your virtual machine should be disabled ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "c43e4a30-77cb-48ab-a4dd-93f175c63b57",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/c43e4a30-77cb-48ab-a4dd-93f175c63b57 Microsoft Antimalware for Azure should be configured to automatically update protection signatures ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_2.8",
    - "Azure_Security_Benchmark_v1.0_8.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "c4857be7-912a-4c75-87e6-e30292bcdf78",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/c4857be7-912a-4c75-87e6-e30292bcdf78 [Preview]: Container Registry should use a virtual network service endpoint ,
  - definitionVersion: 1.*.*-preview1.0.0-preview,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "c95c74d9-38fe-4f0d-af86-0c7d626a315c",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/c95c74d9-38fe-4f0d-af86-0c7d626a315c Resource logs in Data Lake Analytics should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "cb510bfd-1cba-4d9f-a230-cb0976f4bb71",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/cb510bfd-1cba-4d9f-a230-cb0976f4bb71 App Service apps should have remote debugging turned off ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "cf820ca0-f99e-4f3e-84fb-66e913812d21",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/cf820ca0-f99e-4f3e-84fb-66e913812d21 Resource logs in Key Vault should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "d158790f-bfb0-486c-8631-2dc6b4e8e6af",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/d158790f-bfb0-486c-8631-2dc6b4e8e6af Enforce SSL connection should be enabled for PostgreSQL database servers ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "d38fc420-0735-4ef3-ac11-c806f651a570",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/d38fc420-0735-4ef3-ac11-c806f651a570 Long-term geo-redundant backup should be enabled for Azure SQL Databases ,
  - definitionVersion: 2.*.*2.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_9.1",
    - "Azure_Security_Benchmark_v1.0_9.2"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "d416745a-506c-48b6-8ab1-83cb814bcaa3",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/d416745a-506c-48b6-8ab1-83cb814bcaa3 Virtual machines should be connected to an approved virtual network ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {1 item
    - virtualNetworkId: {1 item
      - value: "[parameters('approvedVirtualNetworkForVMs')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "d63edb4a-c612-454d-b47d-191a724fcbf0",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/d63edb4a-c612-454d-b47d-191a724fcbf0 Event Hub should use a virtual network service endpoint ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e0a2b1a3-f7f9-4569-807f-2a9edebdf4d9 Cosmos DB should use a virtual network service endpoint ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/81b3ccb4-e6e8-4e4a-8d05-5df25cd29fd4 [Deprecated]: Accounts with read permissions on Azure resources should be MFA enabled ,
  - definitionVersion: 1.*.*1.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_3.5"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "e71308d3-144b-4262-b144-efdc3cc90517",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e71308d3-144b-4262-b144-efdc3cc90517 Subnets should be associated with a Network Security Group ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "e802a67a-daf5-4436-9ea6-f6d821dd0c5d",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/e802a67a-daf5-4436-9ea6-f6d821dd0c5d Enforce SSL connection should be enabled for MySQL database servers ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "ea4d6841-2173-4317-9747-ff522a45120f",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ea4d6841-2173-4317-9747-ff522a45120f Key Vault should use a virtual network service endpoint ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0cfea604-3201-4e14-88fc-fae4c427a6c5",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0cfea604-3201-4e14-88fc-fae4c427a6c5 Blocked accounts with owner permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_3.1",
    - "Azure_Security_Benchmark_v1.0_3.10"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/ef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9 Vulnerability assessment should be enabled on your SQL servers ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_5.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "efbde977-ba53-4479-b8e9-10b957924fbf",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/efbde977-ba53-4479-b8e9-10b957924fbf The Log Analytics extension should be installed on Virtual Machine Scale Sets ,
  - definitionVersion: 1.*.*1.0.1,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_2.2",
    - "Azure_Security_Benchmark_v1.0_2.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b App Service apps should use the latest TLS version ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "f1776c76-f58c-4245-a8d0-2b207198dc8b",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f1776c76-f58c-4245-a8d0-2b207198dc8b Virtual networks should use specified virtual network gateway ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {1 item
    - virtualNetworkGatewayId: {1 item
      - value: "[parameters('approvedNetworkGatewayforVirtualNetworks')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd Windows machines should meet requirements for 'Security Options - Network Access' ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {1 item
    - IncludeArcMachines: {1 item
      - value: "[parameters('IncludeArcMachines')]"
      }
    },
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.11"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "f6de0be7-9a8a-4b8a-b349-43cf02d22f7c",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f6de0be7-9a8a-4b8a-b349-43cf02d22f7c Internet-facing virtual machines should be protected with network security groups ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "339353f6-2387-4a45-abe4-7f529d121046",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/339353f6-2387-4a45-abe4-7f529d121046 Guest accounts with owner permissions on Azure resources should be removed ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_3.1",
    - "Azure_Security_Benchmark_v1.0_3.10"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "f8d36e2f-389b-4ee4-898d-21aeb69a0f45",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f8d36e2f-389b-4ee4-898d-21aeb69a0f45 Resource logs in Service Bus should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "f9be5368-9bf5-4b84-9e0a-7850da98bb46",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f9be5368-9bf5-4b84-9e0a-7850da98bb46 Resource logs in Azure Stream Analytics should be enabled ,
  - definitionVersion: 5.*.*5.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "f9d614c5-c173-4d56-95a7-b4437057d193",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193 Function apps should use the latest TLS version ,
  - definitionVersion: 2.*.*2.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "feedbf84-6b99-488c-acc2-71c829aa5ffc",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/feedbf84-6b99-488c-acc2-71c829aa5ffc SQL databases should have vulnerability findings resolved ,
  - definitionVersion: 4.*.*4.1.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_5.5"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "fb893a29-21bb-418c-a157-e99480ec364c",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/fb893a29-21bb-418c-a157-e99480ec364c Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version ,
  - definitionVersion: 1.*.*1.0.2,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_5.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0564d078-92f5-4f97-8398-b9f58a51f70b",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0564d078-92f5-4f97-8398-b9f58a51f70b Private endpoint should be enabled for PostgreSQL servers ,
  - definitionVersion: 1.*.*1.0.2,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "0a1302fb-a631-4106-9753-f3d494733990",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0a1302fb-a631-4106-9753-f3d494733990 Private endpoint should be enabled for MariaDB servers ,
  - definitionVersion: 1.*.*1.0.2,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "7595c971-233d-4bcf-bd18-596129188c49",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/7595c971-233d-4bcf-bd18-596129188c49 Private endpoint should be enabled for MySQL servers ,
  - definitionVersion: 1.*.*1.0.2,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_1.1"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "fc5e4038-4584-4632-8c85-c0448d374b2c",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/fc5e4038-4584-4632-8c85-c0448d374b2c [Preview]: All Internet traffic should be routed via your deployed Azure Firewall ,
  - definitionVersion: 3.*.*-preview3.0.0-preview,
  - parameters: {},
  - groupNames: [2 items
    - "Azure_Security_Benchmark_v1.0_1.1",
    - "Azure_Security_Benchmark_v1.0_1.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "7ff426e2-515f-405a-91c8-4f2333442eb5",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/7ff426e2-515f-405a-91c8-4f2333442eb5 SQL Auditing settings should have Action-Groups configured to capture critical activities ,
  - definitionVersion: 1.*.*1.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.3"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "89099bee-89e0-4b26-a5f4-165451757743",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/89099bee-89e0-4b26-a5f4-165451757743 SQL servers with auditing to storage account destination should be configured with 90 days retention or higher ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_2.5"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "399b2637-a50f-4f95-96f8-3a145476eb15",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/399b2637-a50f-4f95-96f8-3a145476eb15 Function apps should require FTPS only ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  },
- {5 items
  - policyDefinitionReferenceId: "4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b",
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/4d24b6d4-5e53-4a4f-a7f4-618fa573ee4b App Service apps should require FTPS only ,
  - definitionVersion: 3.*.*3.0.0,
  - parameters: {},
  - groupNames: [1 item
    - "Azure_Security_Benchmark_v1.0_4.4"
    ]
  }
],
policyDefinitionGroups: [88 items
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.5",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.5"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.6",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.6"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.7",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.7"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.8",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.8"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.9",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.9"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.10",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.10"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_1.11",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_1.11"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.5",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.5"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.6",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.6"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.7",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.7"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.8",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.8"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.9",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.9"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_2.10",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_2.10"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.5",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.5"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.6",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.6"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.7",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.7"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.8",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.8"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.9",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.9"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.10",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.10"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.11",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.11"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.12",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.12"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_3.13",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_3.13"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.5",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.5"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.6",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.6"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.7",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.7"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.8",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.8"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_4.9",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_4.9"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_5.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_5.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_5.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_5.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_5.5",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_5.5"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.5",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.5"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.6",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.6"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.7",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.7"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.8",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.8"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.9",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.9"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.10",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.10"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.11",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.11"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.12",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.12"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_6.13",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_6.13"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.5",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.5"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.6",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.6"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.7",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.7"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.8",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.8"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.9",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.9"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.10",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.10"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.11",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.11"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.12",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.12"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_7.13",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_7.13"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_8.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_8.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_8.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_8.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_8.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_8.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_9.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_9.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_9.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_9.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_9.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_9.3"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_9.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_9.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_10.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_10.2",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.2"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_10.4",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.4"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_10.5",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.5"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_10.6",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.6"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_11.1",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_11.1"
  },
- {2 items
  - name: "Azure_Security_Benchmark_v1.0_10.3",
  - additionalMetadataId: "/providers/Microsoft.PolicyInsights/policyMetadata/Azure_Security_Benchmark_v1.0_10.3"
  }
],
versions: [7 items
- "14.8.0",
- "14.7.0",
- "14.6.0",
- "14.5.0",
- "14.4.0",
- "14.3.0",
- "14.2.0"
]

}