Azure Policy Regulatory Compliance controls for Azure SQL Database & SQL Managed Instance

Applies to: Azure SQL Database Azure SQL Managed Instance

Regulatory Compliance in Azure Policy provides Microsoft created and managed initiative definitions, known as built-ins, for the compliance domains and security controls related to different compliance standards. This page lists the compliance domains and security controls for Azure SQL Database and SQL Managed Instance. You can assign the built-ins for a security control individually to help make your Azure resources compliant with the specific standard.

The title of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Policy Version column to view the source on the Azure Policy GitHub repo.

Important

Each control is associated with one or more Azure Policy definitions. These policies might help you assess compliance with the control. However, there often isn't a one-to-one or complete match between a control and one or more policies. As such, Compliant in Azure Policy refers only to the policies themselves. This doesn't ensure that you're fully compliant with all requirements of a control. In addition, the compliance standard includes controls that aren't addressed by any Azure Policy definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance status. The associations between controls and Azure Policy Regulatory Compliance definitions for these compliance standards can change over time.

Australian Government ISM PROTECTED

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Australian Government ISM PROTECTED. For more information about this compliance standard, see Australian Government ISM PROTECTED.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 SQL databases should have vulnerability findings resolved 4.1.0
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 940 When to patch security vulnerabilities - 940 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 SQL databases should have vulnerability findings resolved 4.1.0
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1144 When to patch security vulnerabilities - 1144 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Guidelines for Database Systems - Database management system software 1260 Database administrator accounts - 1260 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database management system software 1261 Database administrator accounts - 1261 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database management system software 1262 Database administrator accounts - 1262 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database management system software 1263 Database administrator accounts - 1263 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database management system software 1264 Database administrator accounts - 1264 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Guidelines for Database Systems - Database servers 1425 Protecting database server contents - 1425 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 SQL databases should have vulnerability findings resolved 4.1.0
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1472 When to patch security vulnerabilities - 1472 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 SQL databases should have vulnerability findings resolved 4.1.0
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1494 When to patch security vulnerabilities - 1494 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 SQL databases should have vulnerability findings resolved 4.1.0
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1495 When to patch security vulnerabilities - 1495 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 SQL databases should have vulnerability findings resolved 4.1.0
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Guidelines for System Management - System patching 1496 When to patch security vulnerabilities - 1496 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Guidelines for System Monitoring - Event logging and auditing 1537 Events to be logged - 1537 Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Guidelines for System Monitoring - Event logging and auditing 1537 Events to be logged - 1537 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

Canada Federal PBMM

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Canada Federal PBMM. For more information about this compliance standard, see Canada Federal PBMM.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2(7) Account Management | Role-Based Schemes An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Audit and Accountability AU-5 Response to Audit Processing Failures Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-5 Response to Audit Processing Failures Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-5 Response to Audit Processing Failures Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-12 Audit Generation Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.1.0
System and Communications Protection SC-28 Protection of Information at Rest Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Communications Protection SC-28 Protection of Information at Rest Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Communications Protection SC-28 Protection of Information at Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.1.0
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

CIS Microsoft Azure Foundations Benchmark 1.1.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.1.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
2 Security Center 2.14 Ensure ASC Default policy setting "Monitor SQL Auditing" is not "Disabled" Auditing on SQL server should be enabled 2.0.0
2 Security Center 2.15 Ensure ASC Default policy setting "Monitor SQL Encryption" is not "Disabled" Transparent Data Encryption on SQL databases should be enabled 2.0.0
4 Database Services 4.1 Ensure that 'Auditing' is set to 'On' Auditing on SQL server should be enabled 2.0.0
4 Database Services 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
4 Database Services 4.10 Ensure SQL server's TDE protector is encrypted with BYOK (Use your own key) SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
4 Database Services 4.2 Ensure that 'AuditActionGroups' in 'auditing' policy for a SQL server is set properly SQL Auditing settings should have Action-Groups configured to capture critical activities 1.0.0
4 Database Services 4.3 Ensure that 'Auditing' Retention is 'greater than 90 days' SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
4 Database Services 4.4 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
4 Database Services 4.4 Ensure that 'Advanced Data Security' on a SQL server is set to 'On' Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
4 Database Services 4.8 Ensure that Azure Active Directory Admin is configured An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
4 Database Services 4.9 Ensure that 'Data encryption' is set to 'On' on a SQL Database Transparent Data Encryption on SQL databases should be enabled 2.0.0

CIS Microsoft Azure Foundations Benchmark 1.3.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CIS Microsoft Azure Foundations Benchmark 1.3.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
4 Database Services 4.1.1 Ensure that 'Auditing' is set to 'On' Auditing on SQL server should be enabled 2.0.0
4 Database Services 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database Transparent Data Encryption on SQL databases should be enabled 2.0.0
4 Database Services 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
4 Database Services 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
4 Database Services 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL server is set to 'Enabled' Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
4 Database Services 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
4 Database Services 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Vulnerability assessment should be enabled on your SQL servers 3.0.0
4 Database Services 4.4 Ensure that Azure Active Directory Admin is configured An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
4 Database Services 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
4 Database Services 4.5 Ensure SQL server's TDE protector is encrypted with Customer-managed key SQL servers should use customer-managed keys to encrypt data at rest 2.0.1

CIS Microsoft Azure Foundations Benchmark 1.4.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v1.4.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
4 Database Services 4.1.1 Ensure that 'Auditing' is set to 'On' Auditing on SQL server should be enabled 2.0.0
4 Database Services 4.1.2 Ensure that 'Data encryption' is set to 'On' on a SQL Database Transparent Data Encryption on SQL databases should be enabled 2.0.0
4 Database Services 4.1.3 Ensure that 'Auditing' Retention is 'greater than 90 days' SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
4 Database Services 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL Server is Set to 'Enabled' Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
4 Database Services 4.2.1 Ensure that Advanced Threat Protection (ATP) on a SQL Server is Set to 'Enabled' Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
4 Database Services 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
4 Database Services 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Vulnerability assessment should be enabled on your SQL servers 3.0.0
4 Database Services 4.5 Ensure that Azure Active Directory Admin is configured An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
4 Database Services 4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
4 Database Services 4.6 Ensure SQL server's TDE protector is encrypted with Customer-managed key SQL servers should use customer-managed keys to encrypt data at rest 2.0.1

CIS Microsoft Azure Foundations Benchmark 2.0.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for CIS v2.0.0. For more information about this compliance standard, see CIS Microsoft Azure Foundations Benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
4.1 4.1.1 Ensure that 'Auditing' is set to 'On' Auditing on SQL server should be enabled 2.0.0
4.1 4.1.2 Ensure no Azure SQL Databases allow ingress from 0.0.0.0/0 (ANY IP) Public network access on Azure SQL Database should be disabled 1.1.0
4.1 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
4.1 4.1.3 Ensure SQL server's Transparent Data Encryption (TDE) protector is encrypted with Customer-managed key SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
4.1 4.1.4 Ensure that Azure Active Directory Admin is Configured for SQL Servers An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
4.1 4.1.5 Ensure that 'Data encryption' is set to 'On' on a SQL Database Transparent Data Encryption on SQL databases should be enabled 2.0.0
4.1 4.1.6 Ensure that 'Auditing' Retention is 'greater than 90 days' SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
4.2 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
4.2 4.2.1 Ensure that Microsoft Defender for SQL is set to 'On' for critical SQL Servers Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
4.2 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
4.2 4.2.2 Ensure that Vulnerability Assessment (VA) is enabled on a SQL server by setting a Storage Account Vulnerability assessment should be enabled on your SQL servers 3.0.0
4.2 4.2.3 Ensure that Vulnerability Assessment (VA) setting 'Periodic recurring scans' is set to 'on' for each SQL server Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
4.2 4.2.4 Ensure that Vulnerability Assessment (VA) setting 'Send scan reports to' is configured for a SQL server Vulnerability assessment should be enabled on your SQL servers 3.0.0
4.2 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server SQL databases should have vulnerability findings resolved 4.1.0
4.2 4.2.5 Ensure that Vulnerability Assessment (VA) setting 'Also send email notifications to admins and subscription owners' is set for each SQL Server Vulnerability assessment should be enabled on your SQL servers 3.0.0

CMMC Level 3

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - CMMC Level 3. For more information about this compliance standard, see Cybersecurity Maturity Model Certification (CMMC).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, and devices (including other information systems). Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC.1.002 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations. Public network access on Azure SQL Database should be disabled 1.1.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU.2.041 Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU.2.042 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU.3.046 Alert in the event of an audit logging process failure. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Auditing on SQL server should be enabled 2.0.0
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Security Assessment CA.2.158 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. Vulnerability assessment should be enabled on your SQL servers 3.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Auditing on SQL server should be enabled 2.0.0
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Security Assessment CA.3.161 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. Vulnerability assessment should be enabled on your SQL servers 3.0.0
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Configuration Management CM.2.064 Establish and enforce security configuration settings for information technology products employed in organizational systems. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Configuration Management CM.3.068 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services. Public network access on Azure SQL Database should be disabled 1.1.0
Recovery RE.2.137 Regularly perform and test data back-ups. Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Recovery RE.3.139 Regularly perform complete, comprehensive and resilient data backups as organizationally-defined. Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RM.2.141 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI. Vulnerability assessment should be enabled on your SQL servers 3.0.0
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RM.2.142 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerability assessment should be enabled on your SQL servers 3.0.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. SQL databases should have vulnerability findings resolved 4.1.0
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RM.2.143 Remediate vulnerabilities in accordance with risk assessments. Vulnerability assessment should be enabled on your SQL servers 3.0.0
System and Communications Protection SC.1.175 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System and Communications Protection SC.3.177 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Communications Protection SC.3.181 Separate user functionality from system management functionality. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
System and Communications Protection SC.3.183 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Communications Protection SC.3.191 Protect the confidentiality of CUI at rest. Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI.1.210 Identify, report, and correct information and information system flaws in a timely manner. SQL databases should have vulnerability findings resolved 4.1.0
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI.2.216 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI.2.217 Identify unauthorized use of organizational systems. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

FedRAMP High

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP High. For more information about this compliance standard, see FedRAMP High.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (1) Automated System Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (7) Role-Based Schemes An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-3 Access Enforcement An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-4 Information Flow Enforcement Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-4 Information Flow Enforcement Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC-17 Remote Access Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-17 (1) Automated Monitoring / Control Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-6 (4) Central Review And Analysis Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-11 Audit Record Retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit And Accountability AU-12 Audit Generation Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Contingency Planning CP-6 Alternate Storage Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Contingency Planning CP-6 (1) Separation From Primary Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification And Authentication IA-4 Identifier Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.1.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on your SQL servers 3.0.0
System And Communications Protection SC-7 Boundary Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System And Communications Protection SC-7 Boundary Protection Public network access on Azure SQL Database should be disabled 1.1.0
System And Communications Protection SC-7 (3) Access Points Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System And Communications Protection SC-7 (3) Access Points Public network access on Azure SQL Database should be disabled 1.1.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System And Communications Protection SC-28 Protection Of Information At Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System And Communications Protection SC-28 (1) Cryptographic Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
System And Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.1.0
System And Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System And Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

FedRAMP Moderate

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - FedRAMP Moderate. For more information about this compliance standard, see FedRAMP Moderate.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (1) Automated System Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (7) Role-Based Schemes An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-3 Access Enforcement An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-4 Information Flow Enforcement Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-4 Information Flow Enforcement Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC-17 Remote Access Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-17 (1) Automated Monitoring / Control Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-11 Audit Record Retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit And Accountability AU-12 Audit Generation Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Contingency Planning CP-6 Alternate Storage Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Contingency Planning CP-6 (1) Separation From Primary Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification And Authentication IA-4 Identifier Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.1.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on your SQL servers 3.0.0
System And Communications Protection SC-7 Boundary Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System And Communications Protection SC-7 Boundary Protection Public network access on Azure SQL Database should be disabled 1.1.0
System And Communications Protection SC-7 (3) Access Points Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System And Communications Protection SC-7 (3) Access Points Public network access on Azure SQL Database should be disabled 1.1.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System And Communications Protection SC-28 Protection Of Information At Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System And Communications Protection SC-28 (1) Cryptographic Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
System And Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.1.0
System And Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System And Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

HIPAA HITRUST 9.2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - HIPAA HITRUST 9.2. For more information about this compliance standard, see HIPAA HITRUST 9.2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
03 Portable Media Security 0301.09o1Organizational.123-09.o 0301.09o1Organizational.123-09.o 09.07 Media Handling Transparent Data Encryption on SQL databases should be enabled 2.0.0
03 Portable Media Security 0304.09o3Organizational.1-09.o 0304.09o3Organizational.1-09.o 09.07 Media Handling SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
03 Portable Media Security 0304.09o3Organizational.1-09.o 0304.09o3Organizational.1-09.o 09.07 Media Handling SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management SQL databases should have vulnerability findings resolved 4.1.0
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
07 Vulnerability Management 0709.10m1Organizational.1-10.m 0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management Vulnerability assessment should be enabled on your SQL servers 3.0.0
07 Vulnerability Management 0710.10m2Organizational.1-10.m 0710.10m2Organizational.1-10.m 10.06 Technical Vulnerability Management Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
07 Vulnerability Management 0716.10m3Organizational.1-10.m 0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management SQL databases should have vulnerability findings resolved 4.1.0
07 Vulnerability Management 0719.10m3Organizational.5-10.m 0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
08 Network Protection 0805.01m1Organizational.12-01.m 0805.01m1Organizational.12-01.m 01.04 Network Access Control SQL Server should use a virtual network service endpoint 1.0.0
08 Network Protection 0806.01m2Organizational.12356-01.m 0806.01m2Organizational.12356-01.m 01.04 Network Access Control SQL Server should use a virtual network service endpoint 1.0.0
08 Network Protection 0862.09m2Organizational.8-09.m 0862.09m2Organizational.8-09.m 09.06 Network Security Management SQL Server should use a virtual network service endpoint 1.0.0
08 Network Protection 0894.01m2Organizational.7-01.m 0894.01m2Organizational.7-01.m 01.04 Network Access Control SQL Server should use a virtual network service endpoint 1.0.0
12 Audit Logging & Monitoring 1211.09aa3System.4-09.aa 1211.09aa3System.4-09.aa 09.10 Monitoring Auditing on SQL server should be enabled 2.0.0
16 Business Continuity & Disaster Recovery 1616.09l1Organizational.16-09.l 1616.09l1Organizational.16-09.l 09.05 Information Back-Up Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
16 Business Continuity & Disaster Recovery 1621.09l2Organizational.1-09.l 1621.09l2Organizational.1-09.l 09.05 Information Back-Up Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0

IRS 1075 September 2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - IRS 1075 September 2016. For more information about this compliance standard, see IRS 1075 September 2016.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 9.3.1.2 Account Management (AC-2) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment 9.3.14.3 Vulnerability Scanning (RA-5) SQL databases should have vulnerability findings resolved 4.1.0
System and Communications Protection 9.3.16.15 Protection of Information at Rest (SC-28) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Communications Protection 9.3.16.15 Protection of Information at Rest (SC-28) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Communications Protection 9.3.16.15 Protection of Information at Rest (SC-28) Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity 9.3.17.2 Flaw Remediation (SI-2) SQL databases should have vulnerability findings resolved 4.1.0
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity 9.3.17.4 Information System Monitoring (SI-4) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Auditing on SQL server should be enabled 2.0.0
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Awareness and Training 9.3.3.11 Audit Generation (AU-12) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Awareness and Training 9.3.3.5 Response to Audit Processing Failures (AU-5) Auditing on SQL server should be enabled 2.0.0
Awareness and Training 9.3.3.5 Response to Audit Processing Failures (AU-5) Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Awareness and Training 9.3.3.5 Response to Audit Processing Failures (AU-5) Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

ISO 27001:2013

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - ISO 27001:2013. For more information about this compliance standard, see ISO 27001:2013.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.1.1 Policy on the use of cryptographic controls Transparent Data Encryption on SQL databases should be enabled 2.0.0
Operations Security 12.4.1 Event Logging Auditing on SQL server should be enabled 2.0.0
Operations Security 12.4.3 Administrator and operator logs Auditing on SQL server should be enabled 2.0.0
Operations Security 12.4.4 Clock Synchronization Auditing on SQL server should be enabled 2.0.0
Operations Security 12.6.1 Management of technical vulnerabilities SQL databases should have vulnerability findings resolved 4.1.0
Asset Management 8.2.1 Classification of information SQL databases should have vulnerability findings resolved 4.1.0
Access Control 9.2.3 Management of privileged access rights An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0

Microsoft Cloud for Sovereignty Baseline Confidential Policies

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for MCfS Sovereignty Baseline Confidential Policies. For more information about this compliance standard, see Microsoft Cloud for Sovereignty Policy portfolio.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
SO.3 - Customer-Managed Keys SO.3 Azure products must be configured to use Customer-Managed Keys when possible. SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
SO.3 - Customer-Managed Keys SO.3 Azure products must be configured to use Customer-Managed Keys when possible. SQL servers should use customer-managed keys to encrypt data at rest 2.0.1

Microsoft cloud security benchmark

The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. To see how this service completely maps to the Microsoft cloud security benchmark, see the Azure Security Benchmark mapping files.

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Microsoft cloud security benchmark.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Network Security NS-2 Secure cloud services with network controls Azure SQL Managed Instances should disable public network access 1.0.0
Network Security NS-2 Secure cloud services with network controls Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Network Security NS-2 Secure cloud services with network controls Public network access on Azure SQL Database should be disabled 1.1.0
Identity Management IM-1 Use centralized identity and authentication system An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identity Management IM-1 Use centralized identity and authentication system Azure SQL Database should have Microsoft Entra-only authentication enabled 1.0.0
Identity Management IM-1 Use centralized identity and authentication system Azure SQL Database should have Microsoft Entra-only authentication enabled during creation 1.2.0
Identity Management IM-1 Use centralized identity and authentication system Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled 1.0.0
Identity Management IM-1 Use centralized identity and authentication system Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation 1.2.0
Identity Management IM-4 Authenticate server and services Azure SQL Database should be running TLS version 1.2 or newer 2.0.0
Data Protection DP-2 Monitor anomalies and threats targeting sensitive data Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Data Protection DP-3 Encrypt sensitive data in transit Azure SQL Database should be running TLS version 1.2 or newer 2.0.0
Data Protection DP-4 Enable data at rest encryption by default Transparent Data Encryption on SQL databases should be enabled 2.0.0
Data Protection DP-5 Use customer-managed key option in data at rest encryption when required SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
Data Protection DP-5 Use customer-managed key option in data at rest encryption when required SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Logging and Threat Detection LT-1 Enable threat detection capabilities Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Logging and Threat Detection LT-2 Enable threat detection for identity and access management Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Logging and Threat Detection LT-3 Enable logging for security investigation Auditing on SQL server should be enabled 2.0.0
Logging and Threat Detection LT-6 Configure log storage retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-3 Detection and analysis - create incidents based on high-quality alerts Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Posture and Vulnerability Management PV-5 Perform vulnerability assessments Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Posture and Vulnerability Management PV-5 Perform vulnerability assessments Vulnerability assessment should be enabled on your SQL servers 3.0.0
Posture and Vulnerability Management PV-6 Rapidly and automatically remediate vulnerabilities SQL databases should have vulnerability findings resolved 4.1.0
Incident Response AIR-5 Detection and analysis - prioritize incidents Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response AIR-5 Detection and analysis - prioritize incidents Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

NIST SP 800-171 R2

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-171 R2. For more information about this compliance standard, see NIST SP 800-171 R2.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control 3.1.12 Monitor and control remote access sessions. Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control 3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control 3.1.14 Route remote access via managed access control points. Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control 3.1.3 Control the flow of CUI in accordance with approved authorizations. Public network access on Azure SQL Database should be disabled 1.1.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. SQL databases should have vulnerability findings resolved 4.1.0
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerability assessment should be enabled on your SQL servers 3.0.0
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. SQL databases should have vulnerability findings resolved 4.1.0
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment 3.11.3 Remediate vulnerabilities in accordance with risk assessments. Vulnerability assessment should be enabled on your SQL servers 3.0.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection 3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems. SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
System and Communications Protection 3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems. SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System and Communications Protection 3.13.16 Protect the confidentiality of CUI at rest. Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception). Public network access on Azure SQL Database should be disabled 1.1.0
System and Information Integrity 3.14.1 Identify, report, and correct system flaws in a timely manner. SQL databases should have vulnerability findings resolved 4.1.0
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity 3.14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity 3.14.7 Identify unauthorized use of organizational systems. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Auditing on SQL server should be enabled 2.0.0
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Auditing on SQL server should be enabled 2.0.0
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions. SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit and Accountability 3.3.4 Alert in the event of an audit logging process failure. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability 3.3.4 Alert in the event of an audit logging process failure. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability 3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability 3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Identification and Authentication 3.5.1 Identify system users, processes acting on behalf of users, and devices. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification and Authentication 3.5.2 Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification and Authentication 3.5.5 Prevent reuse of identifiers for a defined period. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification and Authentication 3.5.6 Disable identifiers after a defined period of inactivity. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0

NIST SP 800-53 Rev. 4

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 4. For more information about this compliance standard, see NIST SP 800-53 Rev. 4.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (1) Automated System Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (7) Role-Based Schemes An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (12) Account Monitoring / Atypical Usage Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-3 Access Enforcement An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-4 Information Flow Enforcement Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-4 Information Flow Enforcement Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC-16 Security Attributes Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Access Control AC-16 Security Attributes Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-17 Remote Access Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-17 (1) Automated Monitoring / Control Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-6 Audit Review, Analysis, And Reporting Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-6 (4) Central Review And Analysis Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-6 (4) Central Review And Analysis Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-6 (5) Integration / Scanning And Monitoring Capabilities Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-11 Audit Record Retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit And Accountability AU-12 Audit Generation Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-12 Audit Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Auditing on SQL server should be enabled 2.0.0
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit And Accountability AU-12 (1) System-Wide / Time-Correlated Audit Trail Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Contingency Planning CP-6 Alternate Storage Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Contingency Planning CP-6 (1) Separation From Primary Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Identification And Authentication IA-2 Identification And Authentication (Organizational Users) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification And Authentication IA-4 Identifier Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.1.0
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RA-5 Vulnerability Scanning Vulnerability assessment should be enabled on your SQL servers 3.0.0
System And Communications Protection SC-7 Boundary Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System And Communications Protection SC-7 Boundary Protection Public network access on Azure SQL Database should be disabled 1.1.0
System And Communications Protection SC-7 (3) Access Points Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System And Communications Protection SC-7 (3) Access Points Public network access on Azure SQL Database should be disabled 1.1.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
System And Communications Protection SC-12 Cryptographic Key Establishment And Management SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System And Communications Protection SC-28 Protection Of Information At Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System And Communications Protection SC-28 (1) Cryptographic Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
System And Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.1.0
System And Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System And Information Integrity SI-4 Information System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

NIST SP 800-53 Rev. 5

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - NIST SP 800-53 Rev. 5. For more information about this compliance standard, see NIST SP 800-53 Rev. 5.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Access Control AC-2 Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (1) Automated System Account Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (7) Privileged User Accounts An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-2 (12) Account Monitoring for Atypical Usage Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-3 Access Enforcement An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Access Control AC-4 Information Flow Enforcement Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-4 Information Flow Enforcement Public network access on Azure SQL Database should be disabled 1.1.0
Access Control AC-16 Security and Privacy Attributes Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Access Control AC-16 Security and Privacy Attributes Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Access Control AC-17 Remote Access Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Access Control AC-17 (1) Monitoring and Control Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 Audit Record Review, Analysis, and Reporting Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-6 (4) Central Review and Analysis Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 (4) Central Review and Analysis Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-6 (5) Integrated Analysis of Audit Records Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-11 Audit Record Retention SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Audit and Accountability AU-12 Audit Record Generation Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 Audit Record Generation Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 Audit Record Generation Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Auditing on SQL server should be enabled 2.0.0
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Audit and Accountability AU-12 (1) System-wide and Time-correlated Audit Trail Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Contingency Planning CP-6 Alternate Storage Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Contingency Planning CP-6 (1) Separation from Primary Site Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Identification and Authentication IA-2 Identification and Authentication (organizational Users) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Identification and Authentication IA-4 Identifier Management An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-4 Incident Handling Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Incident Response IR-5 Incident Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Risk Assessment RA-5 Vulnerability Monitoring and Scanning SQL databases should have vulnerability findings resolved 4.1.0
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Risk Assessment RA-5 Vulnerability Monitoring and Scanning Vulnerability assessment should be enabled on your SQL servers 3.0.0
System and Communications Protection SC-7 Boundary Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 Boundary Protection Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Private endpoint connections on Azure SQL Database should be enabled 1.1.0
System and Communications Protection SC-7 (3) Access Points Public network access on Azure SQL Database should be disabled 1.1.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
System and Communications Protection SC-12 Cryptographic Key Establishment and Management SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
System and Communications Protection SC-28 Protection of Information at Rest Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Communications Protection SC-28 (1) Cryptographic Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
System and Information Integrity SI-2 Flaw Remediation SQL databases should have vulnerability findings resolved 4.1.0
System and Information Integrity SI-4 System Monitoring Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
System and Information Integrity SI-4 System Monitoring Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2

NL BIO Cloud Theme

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for NL BIO Cloud Theme. For more information about this compliance standard, see Baseline Information Security Government Cybersecurity - Digital Government (digitaleoverheid.nl).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
C.04.3 Technical vulnerability management - Timelines C.04.3 If the probability of abuse and the expected damage are both high, patches are installed no later than within a week. SQL databases should have vulnerability findings resolved 4.1.0
C.04.6 Technical vulnerability management - Timelines C.04.6 Technical weaknesses can be remedied by performing patch management in a timely manner. SQL databases should have vulnerability findings resolved 4.1.0
C.04.7 Technical vulnerability management - Evaluated C.04.7 Evaluations of technical vulnerabilities are recorded and reported. SQL databases should have vulnerability findings resolved 4.1.0
C.04.8 Technical vulnerability management - Evaluated C.04.8 The evaluation reports contain suggestions for improvement and are communicated with managers/owners. SQL databases should have vulnerability findings resolved 4.1.0
U.05.1 Data protection - Cryptographic measures U.05.1 Data transport is secured with cryptography where key management is carried out by the CSC itself if possible. Azure SQL Database should be running TLS version 1.2 or newer 2.0.0
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
U.05.2 Data protection - Cryptographic measures U.05.2 Data stored in the cloud service shall be protected to the latest state of the art. Transparent Data Encryption on SQL databases should be enabled 2.0.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. Azure SQL Managed Instances should disable public network access 1.0.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. Private endpoint connections on Azure SQL Database should be enabled 1.1.0
U.07.1 Data separation - Isolated U.07.1 Permanent isolation of data is a multi-tenant architecture. Patches are realized in a controlled manner. Public network access on Azure SQL Database should be disabled 1.1.0
U.07.3 Data separation - Management features U.07.3 U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
U.07.3 Data separation - Management features U.07.3 U.07.3 - The privileges to view or modify CSC data and/or encryption keys are granted in a controlled manner and use is logged. Transparent Data Encryption on SQL databases should be enabled 2.0.0
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
U.09.3 Malware Protection - Detection, prevention and recovery U.09.3 The malware protection runs on different environments. Vulnerability assessment should be enabled on your SQL servers 3.0.0
U.10.2 Access to IT services and data - Users U.10.2 Under the responsibility of the CSP, access is granted to administrators. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
U.10.3 Access to IT services and data - Users U.10.3 Only users with authenticated equipment can access IT services and data. SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
U.10.5 Access to IT services and data - Competent U.10.5 Access to IT services and data is limited by technical measures and has been implemented. An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
U.11.1 Cryptoservices - Policy U.11.1 In the cryptography policy, at least the subjects in accordance with BIO have been elaborated. Transparent Data Encryption on SQL databases should be enabled 2.0.0
U.11.2 Cryptoservices - Cryptographic measures U.11.2 In case of PKIoverheid certificates use PKIoverheid requirements for key management. In other situations use ISO11770. Transparent Data Encryption on SQL databases should be enabled 2.0.0
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
U.11.3 Cryptoservices - Encrypted U.11.3 Sensitive data is always encrypted, with private keys managed by the CSC. Transparent Data Encryption on SQL databases should be enabled 2.0.0
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Auditing on SQL server should be enabled 2.0.0
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
U.15.1 Logging and monitoring - Events logged U.15.1 The violation of the policy rules is recorded by the CSP and the CSC. Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
U.15.3 Logging and monitoring - Events logged U.15.3 CSP maintains a list of all assets that are critical in terms of logging and monitoring and reviews this list. Auditing on SQL server should be enabled 2.0.0

PCI DSS 3.2.1

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see PCI DSS 3.2.1. For more information about this compliance standard, see PCI DSS 3.2.1.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 10 10.5.4 PCI DSS requirement 10.5.4 Auditing on SQL server should be enabled 2.0.0
Requirement 11 11.2.1 PCI DSS requirement 11.2.1 SQL databases should have vulnerability findings resolved 4.1.0
Requirement 3 3.2 PCI DSS requirement 3.2 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Requirement 3 3.4 PCI DSS requirement 3.4 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Requirement 4 4.1 PCI DSS requirement 4.1 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Requirement 5 5.1 PCI DSS requirement 5.1 SQL databases should have vulnerability findings resolved 4.1.0
Requirement 6 6.2 PCI DSS requirement 6.2 SQL databases should have vulnerability findings resolved 4.1.0
Requirement 6 6.5.3 PCI DSS requirement 6.5.3 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Requirement 6 6.6 PCI DSS requirement 6.6 SQL databases should have vulnerability findings resolved 4.1.0
Requirement 7 7.2.1 PCI DSS requirement 7.2.1 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Requirement 8 8.3.1 PCI DSS requirement 8.3.1 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0

PCI DSS v4.0

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for PCI DSS v4.0. For more information about this compliance standard, see PCI DSS v4.0.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data 10.2.2 Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events Auditing on SQL server should be enabled 2.0.0
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data 10.3.3 Audit logs are protected from destruction and unauthorized modifications Auditing on SQL server should be enabled 2.0.0
Requirement 11: Test Security of Systems and Networks Regularly 11.3.1 External and internal vulnerabilities are regularly identified, prioritized, and addressed SQL databases should have vulnerability findings resolved 4.1.0
Requirement 03: Protect Stored Account Data 3.3.3 Sensitive authentication data (SAD) is not stored after authorization An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Requirement 03: Protect Stored Account Data 3.5.1 Primary account number (PAN) is secured wherever it is stored Transparent Data Encryption on SQL databases should be enabled 2.0.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.1 Malicious software (malware) is prevented, or detected and addressed SQL databases should have vulnerability findings resolved 4.1.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.2 Malicious software (malware) is prevented, or detected and addressed SQL databases should have vulnerability findings resolved 4.1.0
Requirement 05: Protect All Systems and Networks from Malicious Software 5.2.3 Malicious software (malware) is prevented, or detected and addressed SQL databases should have vulnerability findings resolved 4.1.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.2.4 Bespoke and custom software are developed securely Transparent Data Encryption on SQL databases should be enabled 2.0.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.3.3 Security vulnerabilities are identified and addressed SQL databases should have vulnerability findings resolved 4.1.0
Requirement 06: Develop and Maintain Secure Systems and Software 6.4.1 Public-facing web applications are protected against attacks SQL databases should have vulnerability findings resolved 4.1.0
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know 7.3.1 Access to system components and data is managed via an access control system(s) An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Requirement 08: Identify Users and Authenticate Access to System Components 8.4.1 Multi-factor authentication (MFA) is implemented to secure access into the CDE An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0

Reserve Bank of India - IT Framework for NBFC

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - Reserve Bank of India - IT Framework for NBFC. For more information about this compliance standard, see Reserve Bank of India - IT Framework for NBFC.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
IT Governance 1 IT Governance-1 SQL databases should have vulnerability findings resolved 4.1.0
IT Governance 1 IT Governance-1 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
IT Governance 1 IT Governance-1 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Information and Cyber Security 3.1.f Maker-checker-3.1 Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Information and Cyber Security 3.1.f Maker-checker-3.1 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Information and Cyber Security 3.1.g Trails-3.1 Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Information and Cyber Security 3.1.g Trails-3.1 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Information and Cyber Security 3.1.g Trails-3.1 SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Information and Cyber Security 3.1.h Public Key Infrastructure (PKI)-3.1 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 SQL databases should have vulnerability findings resolved 4.1.0
Information and Cyber Security 3.3 Vulnerability Management-3.3 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Information and Cyber Security 3.3 Vulnerability Management-3.3 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Business Continuity Planning 6 Business Continuity Planning (BCP) and Disaster Recovery-6 Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Business Continuity Planning 6.2 Recovery strategy / Contingency Plan-6.2 Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Business Continuity Planning 6.3 Recovery strategy / Contingency Plan-6.3 Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0

Reserve Bank of India IT Framework for Banks v2016

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RBI ITF Banks v2016. For more information about this compliance standard, see RBI ITF Banks v2016 (PDF).

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
User Access Control / Management User Access Control / Management-8.2 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Network Management And Security Security Operation Centre-4.9 Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Network Management And Security Security Operation Centre-4.9 Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.7 Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.7 Public network access on Azure SQL Database should be disabled 1.1.0
Preventing Execution Of Unauthorised Software Security Update Management-2.3 SQL databases should have vulnerability findings resolved 4.1.0
Metrics Metrics-21.1 SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
Metrics Metrics-21.1 SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
Advanced Real-Timethreat Defenceand Management Advanced Real-Timethreat Defenceand Management-13.4 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.1 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Patch/Vulnerability & Change Management Patch/Vulnerability & Change Management-7.1 Vulnerability assessment should be enabled on your SQL servers 3.0.0

RMIT Malaysia

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - RMIT Malaysia. For more information about this compliance standard, see RMIT Malaysia.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Cryptography 10.16 Cryptography - 10.16 SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
Cryptography 10.16 Cryptography - 10.16 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Cryptography 10.19 Cryptography - 10.19 SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
Network Resilience 10.33 Network Resilience - 10.33 Configure Azure SQL Server to disable public network access 1.0.0
Network Resilience 10.33 Network Resilience - 10.33 Configure Azure SQL Server to enable private endpoint connections 1.0.0
Network Resilience 10.33 Network Resilience - 10.33 Private endpoint connections on Azure SQL Database should be enabled 1.1.0
Network Resilience 10.39 Network Resilience - 10.39 SQL Server should use a virtual network service endpoint 1.0.0
Cloud Services 10.49 Cloud Services - 10.49 SQL Database should avoid using GRS backup redundancy 2.0.0
Cloud Services 10.49 Cloud Services - 10.49 SQL Managed Instances should avoid using GRS backup redundancy 2.0.0
Cloud Services 10.51 Cloud Services - 10.51 Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Cloud Services 10.53 Cloud Services - 10.53 SQL servers should use customer-managed keys to encrypt data at rest 2.0.1
Access Control 10.54 Access Control - 10.54 An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Security of Digital Services 10.66 Security of Digital Services - 10.66 Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace 4.0.0
Data Loss Prevention (DLP) 11.15 Data Loss Prevention (DLP) - 11.15 Configure Azure SQL Server to disable public network access 1.0.0
Data Loss Prevention (DLP) 11.15 Data Loss Prevention (DLP) - 11.15 SQL managed instances should use customer-managed keys to encrypt data at rest 2.0.0
Data Loss Prevention (DLP) 11.15 Data Loss Prevention (DLP) - 11.15 Transparent Data Encryption on SQL databases should be enabled 2.0.0
Security Operations Centre (SOC) 11.18 Security Operations Centre (SOC) - 11.18 Auditing on SQL server should be enabled 2.0.0
Security Operations Centre (SOC) 11.18 Security Operations Centre (SOC) - 11.18 SQL Auditing settings should have Action-Groups configured to capture critical activities 1.0.0
Cybersecurity Operations 11.8 Cybersecurity Operations - 11.8 Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Cybersecurity Operations 11.8 Cybersecurity Operations - 11.8 Vulnerability assessment should be enabled on your SQL servers 3.0.0
Control Measures on Cybersecurity Appendix 5.6 Control Measures on Cybersecurity - Appendix 5.6 Azure SQL Database should be running TLS version 1.2 or newer 2.0.0
Control Measures on Cybersecurity Appendix 5.6 Control Measures on Cybersecurity - Appendix 5.6 Public network access on Azure SQL Database should be disabled 1.1.0
Control Measures on Cybersecurity Appendix 5.6 Control Measures on Cybersecurity - Appendix 5.6 SQL Managed Instance should have the minimal TLS version of 1.2 1.0.1
Control Measures on Cybersecurity Appendix 5.6 Control Measures on Cybersecurity - Appendix 5.6 Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet 1.0.0
Control Measures on Cybersecurity Appendix 5.7 Control Measures on Cybersecurity - Appendix 5.7 Configure Azure SQL Server to enable private endpoint connections 1.0.0

SWIFT CSP-CSCF v2021

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance details for SWIFT CSP-CSCF v2021. For more information about this compliance standard, see SWIFT CSP CSCF v2021.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
SWIFT Environment Protection 1.1 SWIFT Environment Protection Private endpoint connections on Azure SQL Database should be enabled 1.1.0
SWIFT Environment Protection 1.1 SWIFT Environment Protection SQL Server should use a virtual network service endpoint 1.0.0
SWIFT Environment Protection 1.2 Operating System Privileged Account Control An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security Azure SQL Database should be running TLS version 1.2 or newer 2.0.0
Reduce Attack Surface and Vulnerabilities 2.1 Internal Data Flow Security SQL Managed Instance should have the minimal TLS version of 1.2 1.0.1
Reduce Attack Surface and Vulnerabilities 2.5A External Transmission Data Protection Long-term geo-redundant backup should be enabled for Azure SQL Databases 2.0.0
Reduce Attack Surface and Vulnerabilities 2.5A External Transmission Data Protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
Reduce Attack Surface and Vulnerabilities 2.6 Operator Session Confidentiality and Integrity Azure SQL Database should be running TLS version 1.2 or newer 2.0.0
Reduce Attack Surface and Vulnerabilities 2.6 Operator Session Confidentiality and Integrity SQL Managed Instance should have the minimal TLS version of 1.2 1.0.1
Reduce Attack Surface and Vulnerabilities 2.7 Vulnerability Scanning SQL databases should have vulnerability findings resolved 4.1.0
Reduce Attack Surface and Vulnerabilities 2.7 Vulnerability Scanning Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Reduce Attack Surface and Vulnerabilities 2.7 Vulnerability Scanning Vulnerability assessment should be enabled on your SQL servers 3.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.3 Database Integrity Auditing on SQL server should be enabled 2.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.3 Database Integrity Public network access on Azure SQL Database should be disabled 1.1.0
Detect Anomalous Activity to Systems or Transaction Records 6.3 Database Integrity SQL servers with auditing to storage account destination should be configured with 90 days retention or higher 3.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.3 Database Integrity Transparent Data Encryption on SQL databases should be enabled 2.0.0
Detect Anomalous Activity to Systems or Transaction Records 6.4 Logging and Monitoring Auditing on SQL server should be enabled 2.0.0

UK OFFICIAL and UK NHS

To review how the available Azure Policy built-ins for all Azure services map to this compliance standard, see Azure Policy Regulatory Compliance - UK OFFICIAL and UK NHS. For more information about this compliance standard, see UK OFFICIAL.

Domain Control ID Control title Policy
(Azure portal)
Policy version
(GitHub)
Identity and authentication 10 Identity and authentication An Azure Active Directory administrator should be provisioned for SQL servers 1.0.0
Audit information for users 13 Audit information for users Auditing on SQL server should be enabled 2.0.0
Audit information for users 13 Audit information for users Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Asset protection and resilience 2.3 Data at rest protection Transparent Data Encryption on SQL databases should be enabled 2.0.0
Operational security 5.2 Vulnerability management Azure Defender for SQL should be enabled for unprotected Azure SQL servers 2.0.1
Operational security 5.2 Vulnerability management Azure Defender for SQL should be enabled for unprotected SQL Managed Instances 1.0.2
Operational security 5.2 Vulnerability management SQL databases should have vulnerability findings resolved 4.1.0
Operational security 5.2 Vulnerability management Vulnerability assessment should be enabled on SQL Managed Instance 1.0.1
Operational security 5.2 Vulnerability management Vulnerability assessment should be enabled on your SQL servers 3.0.0

Next steps