Assessing API Security Configuration

What is the recommended approach for comparing  the current configuration to the recommended security baselines from MS for the API Management and the Application Gateway services?

 

Many of recommendations are not covered by ASC, do we have to do this manually or is the an automated tool somewhere that I have not found?