How to Enforce a Tag With a Predefined Value
I want an Azure policy in place that requires all new resources to have an "Environment" tag. With that tag I only want there to be three acceptable values: Test, Prod and Dev. If the value doesn't meet the predefined value, it fails…
Azure Policy and App Services TLS
Hello, I'm puzzled on an Azure Policy to restrict TLS version on App Services. I set a new Azure Policy to deny deployment if minTlsVersion doesn't equal 1.2. For new deployment, it works fine. However, going back to the App Services General settings, if…
Policy Compliance error - Current value must not be equal to the target value.
Hello All, I am deploying a policy to create an NSG rule. The policy does create a new rule, and there are no errors once assigned. But compliance fails with the error below. I am using the policy from the below…
Can i create an Azure Policy definition that checks which Virtual Machines have Inventory enabled
Hello, I am looking to create an Azure Policy Definition that will check which Virtual Machines have Inventory enabled. Is this possible?? In the definition JSON, i have attempted the below... But cannot find what I should enter in place of the…
Deny public access policy not working in Azure
I have used the built in Azure policy which stops public network access for sql server and sql database, the option for sql server doesnt give you the option to deny, however public access for SQL database has an option to deny. I assigned these 2…
Multiple Single-factor authentication failures from what seems to be a compromised users
I have noticed in the past month about 900 failed sign in's from what I guess are compromised usernames. They are all reporting as failed, Password in the cloud, password incorrect. So I guess these are all brute force attempts, they are recorded as…
Azure Policy Compliance error - Failed to register the assignments scopes to Microsoft.PolicyInsights provider
Hello, I can assign Azure policy without any issues. But when I click "Compliance," I get the error below. Thanks, in advance.
How to create a custom policy to disable Azure Storage Account firewall option?
I want to disable the Azure Storage Account firewall option. Forcing traffic to use Private EndPoint. I have found a few policies, but it is not disabling the feature. I would like to disable the option that is underlined in red. Thanks in advance.
Is there a way to exclude resource groups that contain the word databricks from policy assignment ?
Hi - We have a number of policies that check if diagnostic settings are created for resources. Since databricks uses a managed resource group, these policies always show non-compliant. Is there a way i could use a '*' in the policy definition to…
Creating a custom Azure Policy definition
Hi everyone, I'm working on creating a custom Azure Policy. I need to allow a small group of users, let’s call them user A, B and C, to access a few specific Blob containers (in a storage account). I don't want to allow the users directly. I want to…
During VM creation, why is the RDP open to Internet rule bypassing NSG policy to deny inbound rule for 3389 for Source Addresses outside of our whitelist?
3389 is successfully blocked by policy on an NSG when a user tries to create an inbound allow rule outside of our whitelist of sourceAddressPrefix for 3389, or any range that includes it (including '*'). The problem is when deploying a VM, if the RDP…
Creating a complex policy to cross-reference two array fields
Hi, I am looking for some advice on creating a complex policy which involves cross-referencing two fields of the same resource, each field being an array. A practical example I have in mind is checking if an Azure App Gateway has any public IP address…
AutoManage Windows Security Baseline for Azure Ad joined VMs
Hi All, Hope you're doing well! We are facing an issue while using Azure AutoManage Service with Azure AD Joined VMs. We have created Custom Profile in AutoManage, enabling Machine Configuration Feature with ApplyAndAutoCorrect Feature. We the applied…
Azure Policy: Inheriting a Tag and Its Value from Subscription to Resource Groups
Is it possible to create an Azure policy that can automatically inherit a tag and its value (no matter what the value are) from the subscription to the resource group? The tag is always the same, for instance, Application, but the value can change…
How to identify Azure Data Lake Gen 2 inside Azure Policy
Hello I need to scope an Azure Policy on Azure Data Lake Gen2 to prevent http and disabling secure transfer Thanks in advance
Will Azure CIS 1.3 policy "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" be updated to accommodate the latest change of setting Client Cert mode to Ignore if HTTP v2.0 is used?
Due to the following change, we are not able to remediate the policy "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled" anymore (because the Client Cert Mode is enforced to set to Ignore now when HTTP…
Bastion only Custom Role based access
There is a requirement to allow RDP access to a limited set of VMs on Azure; we use Bastion for admins; but for these particular users I ONLY want to give them the ability to use Bastion on the portal and then RDP to the servers. My question is; which…
Help with modifying built-in policy "Deploy Diagnostic Settings for Key Vault to Event Hub" so that it forwards logs Event Hub based on key vault's region
With the limitation of Event Hub namespaces only being able to receive logs from resources in the same region, trying avoid creating an assignment for every region we operate, and instead, simplify it in one custom policy assignment, so that the logs…
Azure Resouse Diagnostic Settings
Hello Community, I have a azure resource with diagnostic settings to foword logs to a workspace. I also want logs to go in 3rd party application. Should I need to configure diagnostic settings with in the azure resource or if I configure it in…
issue with built-in Azure Policy "Configure Azure Activity logs to stream to specified Log Analytics workspace"
hi, trying to deploy the policy Configure Azure Activity logs to stream to specified Log Analytics workspace https://www.azadvertizer.net/azpolicyadvertizer/2465583e-4e78-4c15-b6be-a36cbc7c8b0f.html Altough, the parametree is configured to use…