question

HoangNguyen-8276 avatar image
HoangNguyen-8276 asked ·

Need help to build a policy to deny sql database that has Transparent Data Encryption disabled

there is a build-in azure policy name "Transparent Data Encryption on SQL databases should be enabled"
With definition ID: /providers/Microsoft.Authorization/policyDefinitions/17k78e20-9358-41c9-923c-fb736d382a12
But this policy only support 2 effect
"AuditIfNotExists",
"Disabled"
I need to build a policy has deny effect to deny sql database that has Transparent Data Encryption disabled, I'm trying to base on above policy but can't find a solution.
Please help

azure-sql-databaseazure-policy
9 comments
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @HoangNguyen-8276, Could you please once refer to below link and check if this solves the issues:

https://github.com/Azure/azure-policy/blob/master/samples/SQL/deny-sql-db-tde-disabled/azurepolicy.json

0 Votes 0 · ·

HI @AnuragSharma-MSFT , I have tried the above code but result quite different which my expectation which is similar with the origin policy (which is not support deny mode) as you can see bellow:
20031-fail.png (github policy)


19899-pass.png (origin policy)



As you can see i want to see the non-compliance DB/resouce name in the policy result screen.


0 Votes 0 · ·
fail.png (33.9 KiB)
pass.png (34.1 KiB)

Hi @HoangNguyen-8276, we understand the issue wherein you want to see the resource name instead of 'current', we are looking into it and get back to you at the earliest.

1 Vote 1 · ·
Show more comments

0 Answers