Azure policies
Article
12/10/2021
11 minutes to read
Is this page helpful?
In this article
Implementing custom policies allows you to do more with Azure Policy. Data management and analytics scenario comes with a set of pre-created policies to help you implement the required guardrails in your environment.
Data management and analytics scenario contains custom policies pertaining to resource and cost management, authentication, encryption, network isolation, logging, resilience and more that apply to the following services and areas:
Note
The policies provided below are not applied by default during deployment. They should be viewed as guidance-only and can be applied depending on business requirements. Policies should always be applied to the highest level possible and in most cases this will be a management group . All the policies are available in our GitHub repository.
All services
Policy name
Policy area
Description
Deny-PublicIp
Network Isolation
Restrict deployment of public IPs.
Deny-PrivateEndpoint-PrivateLinkServiceConnections
Network Isolation
Deny private endpoints to resources outside of the aad tenant and subscription.
Deploy-DNSZoneGroup-{Service}-PrivateEndpoint
Network Isolation
Deploys the configurations of a Private DNS Zone Group by a parameter for service's private endpoint. Used to enforce the configuration to a single Private DNS Zone.
DiagnosticSettings-{Service}-LogAnalytics
Logging
Send diagnostic settings for cosmos db to log analytics workspace.
Storage
Policy name
Policy area
Description
Append-Storage-Encryption
Encryption
Enforce encryption for storage accounts.
Deny-Storage-AllowBlobPublicAccess
Network Isolation
Enforces no public access to all blobs or containers in the storage account.
Deny-Storage-ContainerDeleteRetentionPolicy
Resilience
Enforce container delete retention policies larger than seven days for storage account.
Deny-Storage-CorsRules
Network Isolation
Deny cors rules for storage account.
Deny-Storage-InfrastructureEncryption
Encryption
Enforce infrastructure (double) encryption for storage accounts.
Deny-Storage-MinimumTlsVersion
Encryption
Enforces minimum TLS version 1.2 for storage account.
Deny-Storage-NetworkAclsBypass
Network Isolation
Enforces network bypass to none for storage account.
Deny-Storage-NetworkAclsIpRules
Network Isolation
Enforces network ip rules for storage account.
Deny-Storage-NetworkAclsVirtualNetworkRules
Network Isolation
Denies virtual network rules for storage account.
Deny-Storage-Sku
Resource Management
Enforces storage account SKUs.
Deny-Storage-SupportsHttpsTrafficOnly
Encryption
Enforces https traffic for storage account.
Deploy-Storage-BlobServices
Resource Management
Deploy blob services default settings for storage account.
Deny-Storage-RoutingPreference
Network Isolation
Deny-Storage-Kind
Resource Management
Deny-Storage-NetworkAclsDefaultAction
Network Isolation
Key Vault
Policy name
Policy area
Description
Audit-KeyVault-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for key vault.
Deny-KeyVault-NetworkAclsBypass
Network Isolation
Enforces bypass network level rules for key vault.
Deny-KeyVault-NetworkAclsDefaultAction
Network Isolation
Enforces default network acl level action for key vault.
Deny-KeyVault-NetworkAclsIpRules
Network Isolation
Enforces network ip rules for key vault.
Deny-KeyVault-NetworkAclsVirtualNetworkRules
Network Isolation
Denies virtual network rules for key vault.
Deny-KeyVault-PurgeProtection
Resilience
Enforces purge protection for key vault.
Deny-KeyVault-SoftDelete
Resilience
Enforces soft delete with minimum number of retention days for key vault.
Deny-KeyVault-TenantId
Resource Management
Enforce tenant ID for key vault.
Azure Data Factory
Policy name
Policy area
Description
Append-DataFactory-IdentityType
Authentication
Enforces use of system assigned identity for data factory.
Deny-DataFactory-ApiVersion
Resource Management
Denies old API version for data factory V1.
Deny-DataFactory-IntegrationRuntimeManagedVirtualNetwork
Network Isolation
Denies Integration Runtimes that are not connected to the Managed Virtual Network.
Deny-DataFactory-LinkedServicesConnectionStringType
Authentication
Denies non Key Vault stored secrets for linked services.
Deny-DataFactory-ManagedPrivateEndpoints
Network Isolation
Denies external private endpoints for linked services.
Deny-DataFactory-PublicNetworkAccess
Network Isolation
Denies public access to data factory.
Deploy-DataFactory-ManagedVirtualNetwork
Network Isolation
Deploy managed virtual network for data factory.
Deploy-SelfHostedIntegrationRuntime-Sharing
Resilience
Share self-hosted integration runtime hosted in the Data Hub with Data Factories in the Data Nodes.
Azure Synapse Analytics
Policy name
Policy area
Description
Append-Synapse-LinkedAccessCheckOnTargetResource
Network Isolation
Enforce LinkedAccessCheckOnTargetResource in managed vnet settings when Synapse Workspace is created.
Append-Synapse-Purview
Network Isolation
Enforce connection between central purview instance and Synapse Workspace.
Append-SynapseSpark-ComputeIsolation
Resource Management
When a Synapse Spark Pool is created without compute isolation then this will add it.
Append-SynapseSpark-DefaultSparkLogFolder
Logging
When a Synapse Spark Pool is created without logging then this will add it.
Append-SynapseSpark-SessionLevelPackages
Resource Management
When a Synapse Spark Pool is created without session level packages then this will add it.
Audit-Synapse-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for Synapse.
Deny-Synapse-AllowedAadTenantIdsForLinking
Network Isolation
Deny-Synapse-Firewall
Network Isolation
Setup firewall of Synapse.
Deny-Synapse-ManagedVirtualNetwork
Network Isolation
When a Synapse Workspace is created without managed virtual network then this will add it.
Deny-Synapse-PreventDataExfiltration
Network Isolation
Enforced prevention of data exfiltration for Synapse managed virtual network.
Deny-SynapsePrivateLinkHub
Network Isolation
Denies Synapse Private Link Hub.
Deny-SynapseSpark-AutoPause
Resource Management
Enforces auto pause for Synapse Spark Pools.
Deny-SynapseSpark-AutoScale
Resource Management
Enforces auto scale for Synapse Spark Pools.
Deny-SynapseSql-Sku
Resource Management
Denies certain Synapse SQL Pool SKUs.
Deploy-SynapseSql-AuditingSettings
Logging
Send auditing logs for Synapse SQL pools to log analytics.
Deploy-SynapseSql-MetadataSynch
Resource Management
Setup metadata sync for Synapse SQL pools.
Deploy-SynapseSql-SecurityAlertPolicies
Logging
Deploy Synapse SQL pool security alert policy.
Deploy-SynapseSql-TransparentDataEncryption
Encryption
Deploy Synapse SQL transparent data encryption.
Deploy-SynapseSql-VulnerabilityAssessment
Logging
Deploy Synapse SQL pool vulnerability assessments.
Azure Purview
Policy name
Policy area
Description
Deny-Purview
Resource Management
Restrict deployment of Purview accounts to avoid proliferation.
Azure Databricks
Policy name
Policy area
Description
Append-Databricks-PublicIp
Network Isolation
Enforces no public access on Databricks workspaces.
Deny-Databricks-Sku
Resource Management
Deny non-premium Databricks SKU.
Deny-Databricks-VirtualNetwork
Network Isolation
Deny non-virtual network deployment for databricks.
Additional policies that are applied in the Databricks workspace through cluster policies:
Cluster policy name
Policy area
Restrict Spark version
Resource Management
Restrict cluster size and VM types
Resource Management
Enforce Cost Tagging
Resource Management
Enforce Autoscale
Resource Management
Enforce AutoPause
Resource Management
Restrict DBUs per hour
Resource Management
Deny public SSH
Authentication
Cluster credential passthrough enabled
Authentication
Enable process isolation
Network isolation
Enforce Spark monitoring
Logging
Enforce cluster logs
Logging
Allow only SQL, Python
Resource management
Deny additional setup scripts
Resource management
Azure IoT Hub
Policy name
Policy area
Description
Append-IotHub-MinimalTlsVersion
Encryption
Enforces minimal TLS version for iot hub.
Audit-IotHub-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for iot hubs.
Deny-IotHub-PublicNetworkAccess
Network Isolation
Denies public network access for iot hub.
Deny-IotHub-Sku
Resource Management
Enforces iot hub SKUs.
Deploy-IotHub-IoTSecuritySolutions
Security
Deploy Microsoft Defender for IoT for IoT Hubs.
Azure Event Hubs
Policy name
Policy area
Description
Deny-EventHub-Ipfilterrules
Network Isolation
Deny adding ip filter rules for Azure Event Hubs.
Deny-EventHub-MaximumThroughputUnits
Network Isolation
Denies public network access for my SQL servers.
Deny-EventHub-NetworkRuleSet
Network Isolation
Enforces default virtual network rules for Azure Event Hubs.
Deny-EventHub-Sku
Resource Management
Denies certain AKUs for Azure Event Hubs.
Deny-EventHub-Virtualnetworkrules
Network Isolation
Deny adding virtual network rules for Azure Event Hubs.
Azure Stream Analytics
Policy name
Policy area
Description
Append-StreamAnalytics-IdentityType
Authentication
Enforces use of system assigned identity for stream analytics.
Deny-StreamAnalytics-ClusterId
Resource Management
Enforces use of Stream Analytics cluster.
Deny-StreamAnalytics-StreamingUnits
Resource Management
Enforces number of stream analytics streaming units.
Azure Data Explorer
Policy name
Policy area
Description
Deny-DataExplorer-DiskEncryption
Encryption
Enforces use of disk encryption for data explorer.
Deny-DataExplorer-DoubleEncryption
Encryption
Enforces use of double encryption for data explorer.
Deny-DataExplorer-Identity
Authentication
Enforces use of system or user assigned identity for data explorer.
Deny-DataExplorer-Sku
Resource Management
Enforces data explorer SKUs.
Deny-DataExplorer-TrustedExternalTenants
Network Isolation
Denies external tenants for data explorer.
Deny-DataExplorer-VirtualNetworkConfiguration
Network Isolation
Enforces virtual network ingestion for data explorer.
Azure Cosmos DB
Policy name
Policy area
Description
Append-Cosmos-DenyCosmosKeyBasedMetadataWriteAccess
Authentication
Deny key based metadata write access for Cosmos DB accounts.
Append-Cosmos-PublicNetworkAccess
Network Isolation
Enforces no public network access for Cosmos DB accounts.
Audit-Cosmos-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for Cosmos DB.
Deny-Cosmos-Cors
Network Isolation
Denies CORS rules for Cosmos DB accounts."
Deny-Cosmos-PublicNetworkAccess
Network Isolation
Denies public network access for Cosmos DB accounts.
Azure Container Registry
Policy name
Policy area
Description
Audit-ContainerRegistry-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for cognitive services.
Deny-ContainerRegistry-PublicNetworkAccess
Network Isolation
Denies public network access for container registry.
Deny-ContainerRegistry-Sku
Resource Management
Enforces premium Sku for container registry.
Azure Cognitive Services
Policy name
Policy area
Description
Append-CognitiveServices-IdentityType
Authentication
Enforces use of system assigned identity for cognitive services.
Audit-CognitiveServices-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for cognitive services.
Deny-CognitiveServices-Encryption
Encryption
Enforces use of encryption for cognitive services.
Deny-CognitiveServices-PublicNetworkAccess
Network Isolation
Enforces no public network access for cognitive services.
Deny-CognitiveServices-Sku
Resource Management
Deny cognitive services free SKU.
Deny-CognitiveServices-UserOwnedStorage
Network Isolation
Enforces user owned storage for cognitive services.
Azure Machine Learning
Policy name
Policy area
Description
Append-MachineLearning-PublicAccessWhenBehindVnet
Network Isolation
Deny public access behind vnet for machine learning workspaces.
Audit-MachineLearning-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for machine learning.
Deny-MachineLearning-HbiWorkspace
Network Isolation
Enforce high business impact machine learning workspaces across the environment.
Deny-MachineLearningAks
Resource Management
Deny AKS creation (not attaching) in machine learning.
Deny-MachineLearningCompute-SubnetId
Network Isolation
Deny public IP for machine learning compute clusters and instances.
Deny-MachineLearningCompute-VmSize
Resource Management
Limit allowed vm sizes for machine learning compute clusters and instances.
Deny-MachineLearningComputeCluster-RemoteLoginPortPublicAccess
Network Isolation
Deny public access of clusters via SSH.
Deny-MachineLearningComputeCluster-Scale
Resource Management
Enforce scale settings for machine learning compute clusters.
Azure SQL Managed Instance
Policy name
Policy area
Description
Append-SqlManagedInstance-MinimalTlsVersion
Encryption
Enforces minimal TLS version for SQL Managed Instance servers.
Deny-SqlManagedInstance-PublicDataEndpoint
Network Isolation
Denies public data endpoint for SQL Managed Instances.
Deny-SqlManagedInstance-Sku
Resource Management
Deny-SqlManagedInstance-SubnetId
Network Isolation
Enforces deployments to subnets of SQL Managed Instances.
Deploy-SqlManagedInstance-AzureAdOnlyAuthentications
Authentication
Enforces Azure AD only authentication for SQL Managed Instance.
Deploy-SqlManagedInstance-SecurityAlertPolicies
Logging
Deploy SQL Managed Instance security alert policies.
Deploy-SqlManagedInstance-VulnerabilityAssessment
Logging
Deploy SQL Managed Instance vulnerability assessments.
Azure SQL Database
Policy name
Policy area
Description
Append-Sql-MinimalTlsVersion
Encryption
Enforces minimal TLS version for SQL servers.
Audit-Sql-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for Azure SQL.
Deny-Sql-PublicNetworkAccess
Network Isolation
Denies public network access for SQL servers.
Deny-Sql-StorageAccountType
Resilience
Enforces geo-redundant database backup.
Deploy-Sql-AuditingSettings
Logging
Deploy SQL auditing settings.
Deploy-Sql-AzureAdOnlyAuthentications
Authentication
Enforces Azure AD only authentication for SQL server.
Deploy-Sql-SecurityAlertPolicies
Logging
Deploy SQL security alert policies.
Deploy-Sql-TransparentDataEncryption
Encryption
Deploy SQL transparent data encryption.
Deploy-Sql-VulnerabilityAssessment
Logging
Deploy SQL vulnerability assessments.
Deploy-SqlDw-AuditingSettings
Logging
Deploy SQL DW auditing settings.
Azure Database for MariaDB
Policy name
Policy area
Description
Append-MariaDb-MinimalTlsVersion
Encryption
Enforces minimal TLS version for MariaDB servers.
Audit-MariaDb-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for MariaDB.
Deny-MariaDb-PublicNetworkAccess
Network Isolation
Denies public network access for my MariaDB servers.
Deny-MariaDb-StorageProfile
Resilience
Enforces geo-redundant database backup with minimum retention time in days.
Deploy-MariaDb-SecurityAlertPolicies
Logging
Deploy SQL security alert policies for MariaDB
Azure Database for MySQL
Policy name
Policy area
Description
Append-MySQL-MinimalTlsVersion
Encryption
Enforces minimal TLS version for MySQL servers.
Audit-MySql-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for MySQL.
Deny-MySQL-InfrastructureEncryption
Encryption
Enforces infrastructure encryption for MySQL servers.
Deny-MySQL-PublicNetworkAccess
Network Isolation
Denies public network access for MySQL servers.
Deny-MySql-StorageProfile
Resilience
Enforces geo-redundant database backup with minimum retention time in days.
Deploy-MySql-SecurityAlertPolicies
Logging
Deploy SQL security alert policies for MySQL.
Azure Database for PostgreSQL
Policy name
Policy area
Description
Append-PostgreSQL-MinimalTlsVersion
Encryption
Enforces minimal TLS version for PostgreSQL servers.
Audit-PostgreSql-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for PostgreSQL.
Deny-PostgreSQL-InfrastructureEncryption
Encryption
Enforces infrastructure encryption for PostgreSQL servers.
Deny-PostgreSQL-PublicNetworkAccess
Network Isolation
Denies public network access for PostgreSQL servers.
Deny-PostgreSql-StorageProfile
Resilience
Enforces geo-redundant database backup with minimum retention time in days.
Deploy-PostgreSql-SecurityAlertPolicies
Logging
Deploy SQL security alert policies for PostgreSQL.
Azure Cognitive Search
Policy name
Policy area
Description
Append-Search-IdentityType
Authentication
Enforces use of system assigned identity for Cognitive Search.
Audit-Search-PrivateEndpointId
Network Isolation
Audit public endpoints that are created in other subscriptions for Cognitive Search.
Deny-Search-PublicNetworkAccess
Network Isolation
Denies public network access for Cognitive Search.
Deny-Search-Sku
Resource Management
Enforces Cognitive Search SKUs.
Azure DNS
Policy name
Policy area
Description
Deny-PrivateDnsZones
Resource Management
Restrict deployment of private DNS zones to avoid proliferation.
Network security group
Policy name
Policy area
Description
Deploy-Nsg-FlowLogs
Logging
Deploy NSG flow logs and traffic analytics.
Batch
Policy name
Policy area
Description
Deny-Batch-InboundNatPools
Network Isolation
Denies inbound NAT pools for batch account VM pools.
Deny-Batch-NetworkConfiguration
Network Isolation
Denies public IP addresses for batch account VM pools.
Deny-Batch-PublicNetworkAccess
Network Isolation
Denies public network access for batch accounts.
Deny-Batch-Scale
Resource Management
Denies certain scale configurations for batch account VM pools.
Deny-Batch-VmSize
Resource Management
Denies certain VM sizes for batch account VM pools.
Azure Cache for Redis
Policy name
Policy area
Description
Deny-Cache-Enterprise
Resource Management
Denies Redis Cache Enterprise.
Deny-Cache-FirewallRules
Network Isolation
Denies firewall rules for Redis Cache.
Deny-Cache-MinimumTlsVersion
Encryption
Enforces minimum TLS version for Redis Cache.
Deny-Cache-NonSslPort
Network Isolation
Enforces turning off the non-SSL port for Redis Cache.
Deny-Cache-PublicNetworkAccess
Network Isolation
Enforces no public network access for Redis Cache.
Deny-Cache-Sku
Resource Management
Enforces certain SkKUs for Redis Cache.
Deny-Cache-VnetInjection
Network Isolation
Enforces use of private endpoints and denies vnet injection for Redis Cache.
Container instances
Policy name
Policy area
Description
Deny-ContainerInstance-PublicIpAddress
Network Isolation
Denies public Container Instances created from Azure Machine Learning.
Azure Firewall
Policy name
Policy area
Description
Deny-Firewall
Resource Management
Restrict deployment of Azure Firewall to avoid proliferation.
HDInsight
Policy name
Policy area
Description
Deny-HdInsight-EncryptionAtHost
Encryption
Enforce encryption at host for HDInsight clusters.
Deny-HdInsight-EncryptionInTransit
Encryption
Enforces encryption in transit for HDInsight clusters.
Deny-HdInsight-MinimalTlsVersion
Encryption
Enforces minimal TLS version for HDInsight clusters.
Deny-HdInsight-NetworkProperties
Network Isolation
Enforces private link enablement for HDInsight clusters.
Deny-HdInsight-Sku
Enforces certain SKUs for HDInsight clusters.
Deny-HdInsight-VirtualNetworkProfile
Network Isolation
Enforces virtual network injection for HDInsight clusters.
Power BI
Policy name
Policy area
Description
Deny-PrivateLinkServicesForPowerBI
Resource Management
Restrict deployment of private link services for Power BI to avoid proliferation.
Next steps
Connecting to environments privately