Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
806 questions
1 answer
One of the answers was accepted by the question author.
How to Enforce a Tag With a Predefined Value
I want an Azure policy in place that requires all new resources to have an "Environment" tag. With that tag I only want there to be three acceptable values: Test, Prod and Dev. If the value doesn't meet the predefined value, it fails…
asked 2024-02-02T18:31:12.1933333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 40%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
PhrygianMode
20
Reputation points
accepted 2024-02-05T16:32:42.21+00:00
PhrygianMode
20
Reputation points
1 answer
One of the answers was accepted by the question author.
Azure Policy and App Services TLS
Hello, I'm puzzled on an Azure Policy to restrict TLS version on App Services. I set a new Azure Policy to deny deployment if minTlsVersion doesn't equal 1.2. For new deployment, it works fine. However, going back to the App Services General settings, if…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 69%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
1 answer
Policy Compliance error - Current value must not be equal to the target value.
Hello All, I am deploying a policy to create an NSG rule. The policy does create a new rule, and there are no errors once assigned. But compliance fails with the error below. I am using the policy from the below…
asked 2024-01-30T01:55:47.7666667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 79%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Madhu Rao
40
Reputation points
commented 2024-02-05T08:07:15.9066667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
SwathiDhanwada-MSFT
17,881
Reputation points
1 answer
One of the answers was accepted by the question author.
Can i create an Azure Policy definition that checks which Virtual Machines have Inventory enabled
Hello, I am looking to create an Azure Policy Definition that will check which Virtual Machines have Inventory enabled. Is this possible?? In the definition JSON, i have attempted the below... But cannot find what I should enter in place of the…
asked 2024-01-11T17:55:40.0133333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 63%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
Peter Casey
20
Reputation points
accepted 2024-02-01T16:02:07.03+00:00
Peter Casey
20
Reputation points
2 answers
Deny public access policy not working in Azure
I have used the built in Azure policy which stops public network access for sql server and sql database, the option for sql server doesnt give you the option to deny, however public access for SQL database has an option to deny. I assigned these 2…
asked 2024-01-25T23:25:15.5766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 39%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MrFlinstone
501
Reputation points
commented 2024-01-31T18:52:33.24+00:00
Oury Ba-MSFT
16,736
Reputation points Microsoft Employee
2 answers
Multiple Single-factor authentication failures from what seems to be a compromised users
I have noticed in the past month about 900 failed sign in's from what I guess are compromised usernames. They are all reporting as failed, Password in the cloud, password incorrect. So I guess these are all brute force attempts, they are recorded as…
asked 2022-11-29T16:54:45.093+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 34%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDE%3C/text%3E%3C/svg%3E)
Daoust, Eric
6
Reputation points
answered 2024-01-30T23:01:24.2966667+00:00
David Broggy
5,686
Reputation points MVP
1 answer
One of the answers was accepted by the question author.
Azure Policy Compliance error - Failed to register the assignments scopes to Microsoft.PolicyInsights provider
Hello, I can assign Azure policy without any issues. But when I click "Compliance," I get the error below. Thanks, in advance.
2 answers
One of the answers was accepted by the question author.
How to create a custom policy to disable Azure Storage Account firewall option?
I want to disable the Azure Storage Account firewall option. Forcing traffic to use Private EndPoint. I have found a few policies, but it is not disabling the feature. I would like to disable the option that is underlined in red. Thanks in advance.
7 answers
Is there a way to exclude resource groups that contain the word databricks from policy assignment ?
Hi - We have a number of policies that check if diagnostic settings are created for resources. Since databricks uses a managed resource group, these policies always show non-compliant. Is there a way i could use a '*' in the policy definition to…
asked 2022-01-25T18:55:43.17+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 0%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Pookat, Sanal (MBHC 21)
26
Reputation points
edited the question 2024-01-29T10:33:25.67+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 41%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
AnuragSingh-MSFT
20,596
Reputation points
1 answer
Creating a custom Azure Policy definition
Hi everyone, I'm working on creating a custom Azure Policy. I need to allow a small group of users, let’s call them user A, B and C, to access a few specific Blob containers (in a storage account). I don't want to allow the users directly. I want to…
asked 2024-01-17T17:11:41.73+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 85%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Marco
45
Reputation points
commented 2024-01-25T21:17:27.4366667+00:00
JamesTran-MSFT
36,476
Reputation points Microsoft Employee
0 answers
During VM creation, why is the RDP open to Internet rule bypassing NSG policy to deny inbound rule for 3389 for Source Addresses outside of our whitelist?
3389 is successfully blocked by policy on an NSG when a user tries to create an inbound allow rule outside of our whitelist of sourceAddressPrefix for 3389, or any range that includes it (including '*'). The problem is when deploying a VM, if the RDP…
asked 2024-01-22T17:08:15.6333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 76%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
NN
0
Reputation points
commented 2024-01-24T04:17:30.4966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 27%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVV%3C/text%3E%3C/svg%3E)
v-vvellanki-MSFT
4,290
Reputation points Microsoft Vendor
0 answers
Creating a complex policy to cross-reference two array fields
Hi, I am looking for some advice on creating a complex policy which involves cross-referencing two fields of the same resource, each field being an array. A practical example I have in mind is checking if an Azure App Gateway has any public IP address…
asked 2024-01-22T11:28:01.9166667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBM%3C/text%3E%3C/svg%3E)
Brijunas, Martynas
0
Reputation points
commented 2024-01-22T14:26:46.77+00:00
tbgangav-MSFT
10,391
Reputation points
1 answer
AutoManage Windows Security Baseline for Azure Ad joined VMs
Hi All, Hope you're doing well! We are facing an issue while using Azure AutoManage Service with Azure AD Joined VMs. We have created Custom Profile in AutoManage, enabling Machine Configuration Feature with ApplyAndAutoCorrect Feature. We the applied…
asked 2023-06-28T09:37:39.5566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 4%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENG%3C/text%3E%3C/svg%3E)
Nitin Gupta
0
Reputation points
edited the question 2024-01-18T17:11:17.4533333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 64%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EON%3C/text%3E%3C/svg%3E)
OMMI NAVEEN KUMAR
195
Reputation points Microsoft Vendor
1 answer
Azure Policy: Inheriting a Tag and Its Value from Subscription to Resource Groups
Is it possible to create an Azure policy that can automatically inherit a tag and its value (no matter what the value are) from the subscription to the resource group? The tag is always the same, for instance, Application, but the value can change…
asked 2024-01-05T12:37:51.27+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 56.00000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Bombbe
1,611
Reputation points
commented 2024-01-18T04:46:45.6933333+00:00
SwathiDhanwada-MSFT
17,881
Reputation points
2 answers
How to identify Azure Data Lake Gen 2 inside Azure Policy
Hello I need to scope an Azure Policy on Azure Data Lake Gen2 to prevent http and disabling secure transfer Thanks in advance
asked 2024-01-03T09:43:39.1033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 80%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
Christophe Humbert
101
Reputation points
commented 2024-01-11T10:37:18.0733333+00:00
ShaikMaheer-MSFT
38,126
Reputation points Microsoft Employee
1 answer
One of the answers was accepted by the question author.
Will Azure CIS 1.3 policy "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" be updated to accommodate the latest change of setting Client Cert mode to Ignore if HTTP v2.0 is used?
Due to the following change, we are not able to remediate the policy "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" anymore (because the Client Cert Mode is enforced to set to Ignore now when HTTP…
asked 2023-06-08T16:48:48.79+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 4%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sharawat, Neetu
35
Reputation points
accepted 2024-01-09T11:19:43.72+00:00
Sharawat, Neetu
35
Reputation points
1 answer
One of the answers was accepted by the question author.
Bastion only Custom Role based access
There is a requirement to allow RDP access to a limited set of VMs on Azure; we use Bastion for admins; but for these particular users I ONLY want to give them the ability to use Bastion on the portal and then RDP to the servers. My question is; which…
1 answer
Help with modifying built-in policy "Deploy Diagnostic Settings for Key Vault to Event Hub" so that it forwards logs Event Hub based on key vault's region
With the limitation of Event Hub namespaces only being able to receive logs from resources in the same region, trying avoid creating an assignment for every region we operate, and instead, simplify it in one custom policy assignment, so that the logs…
asked 2023-12-27T22:12:26.9733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 96%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENM%3C/text%3E%3C/svg%3E)
Nick Morris
0
Reputation points
answered 2024-01-04T08:03:06.5433333+00:00
Luke Murray
10,611
Reputation points MVP
1 answer
Azure Resouse Diagnostic Settings
Hello Community, I have a azure resource with diagnostic settings to foword logs to a workspace. I also want logs to go in 3rd party application. Should I need to configure diagnostic settings with in the azure resource or if I configure it in…
asked 2023-12-20T21:40:38.4+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 48%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)
Vik Lu
0
Reputation points
commented 2024-01-03T08:43:07.8666667+00:00
AnuragSingh-MSFT
20,596
Reputation points
0 answers
issue with built-in Azure Policy "Configure Azure Activity logs to stream to specified Log Analytics workspace"
hi, trying to deploy the policy Configure Azure Activity logs to stream to specified Log Analytics workspace https://www.azadvertizer.net/azpolicyadvertizer/2465583e-4e78-4c15-b6be-a36cbc7c8b0f.html Altough, the parametree is configured to use…
asked 2023-12-14T15:14:34.7233333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 28.000000000000004%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA0%3C/text%3E%3C/svg%3E)
AdamBudzinskiAZA-0329
91
Reputation points
commented 2023-12-28T04:12:43.78+00:00
SwathiDhanwada-MSFT
17,881
Reputation points