Ensuring Best Practices for API Management and App Gateway services

What is the recommended approach for comparing a current configuration to the recommended security baselines from MS for the API Management and the Application Gateway services ? Many of these are not covered by the Azure Security Center. 

 

Does this need to be done manually, or is there some automated tool that I have not found?