In most of the cases we always have a doubt I am not aware what my regulatory requirements are, or customer has no idea or have nothing specific to follow so what is the starting point
I always recommend the customer to apply Azure security benchmark (ASB) initiative to apply. The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure.
The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).
Post applying the standard initiative the most standard is to apply some custom policies like
• Allowed locations
• Allow Approved VM images
• Use approved networks
• Use unapproved network for VM network interface
• vNET peering disallowed /allowed between approved vents
• Block public IP address, Network devices except network team
• deny-changing-address-space-of-a-virtual-network
• Allowed storage account/VM,Key vaults/LB, Firewall, Express routes etc.. SKUs
• Apply tag and default value.
• Enforce tag and value.
• Enforce naming convention.
• Not allowed resource types – ~ 500+ Services including public IP and firewalls
• Require storage account encryption.
• Allowed resource types.
• Enable logs and encryption.
you can find additional custom policies in this URL Community-Policy/policyDefinitions at main · Azure/Community-Policy · GitHub
