Azure Policy Samples

The following table includes links to samples for Azure Policy. These samples are also found in the Azure Policy samples repository.

General

Naming

Allow multiple name patterns Allow one of many name patterns to be used for resources.
Require like pattern Ensure resource names meet the like condition for a pattern.
Require match pattern Ensure resource names match the naming pattern.
Require tag match pattern Ensure that a tag value matches a text pattern.

Tags

Apply tag and its default value Appends a specified tag name and value, if that tag is not provided. You specify the tag name and value to apply.
Billing Tags Policy Initiative Requires specified tag values for cost center and product name. Uses built-in policies to apply and enforce required tags. You specify the required values for the tags.
Enforce tag and its value Requires a specified tag name and value. You specify the tag name and value to enforce.
Enforce tag and its value on resource groups Requires a tag and value on a resource group. You specify the required tag name and value.

Locations

Allowed locations Requires that all resources are deployed to the approved locations. You specify an array of approved locations.

Resource Types

Allowed resource types Ensures only approved resource types are deployed. You specify an array of resource types that are permitted.
Not allowed resource types Prohibits the deployment of specified resource types. You specify an array of the resource types to block.

Compute

Virtual Machines

Allow custom VM image from a Resource Group Requires that custom images come from an approved resource group. You specify the name of the approved resource group.
Allowed SKUs for Storage Accounts and Virtual Machines Requires that storage accounts and virtual machines use approved SKUs. Uses built-in policies to ensure approved SKUs. You specify an array of approved virtual machines SKUs, and an array of approved storage account SKUs.
Approved VM images Requires that only approved custom images are deployed in your environment. You specify an array of approved image IDs.
Audit if extension does not exist Audits if an extension is not deployed with a virtual machine. You specify the extension publisher and type to check whether it was deployed.
Not allowed VM Extensions Prohibits the use of specified extensions. You specify an array containing the prohibited extension types.

Virtual Machine Scale Sets

Audit when VM does not use Managed Disk Audits when a virtual machine is created that does not use managed disks.
Create VM using Managed Disk Requires that virtual machines use managed disks.
Deny hybrid use benefit Prohibits use of Azure Hybrid Use Benefit (AHUB). Use when you do not want to permit use of on-premises licenses.
Only allow a certain VM platform image Requires that virtual machines use a specific version of UbuntuServer.

Data Lake

Enforce Data Lake Store encryption Denies any Data Lake Store accounts that don't have encryption enabled.

Monitoring

Audit diagnostic setting Audits if diagnostic settings not enabled for specified resource types. You specify an array of resource types to check whether diagnostic settings are enabled.

Network

Network Interfaces

NSG X on every NIC Requires that a specific network security group is used with every virtual network interface. You specify the ID of the network security group to use.
Use approved subnet for VM network interfaces Requires that network interfaces use an approved subnet. You specify the ID of the approved subnet.
Use approved vNet for VM network interfaces Requires that network interfaces use an approved virtual network. You specify the ID of the approved virtual network.

Virtual Networks

Allowed Application Gateway SKUs Requires that application gateways use an approved SKU. You specify an array of approved SKUs.
No network peering to ER network Prohibits a network peering from being associated to a network in a specified resource group. Use to prevent connection with central managed network infrastructure. You specify the name of the resource group to prevent association.
No User Defined Route Table Prohibits virtual networks from being deployed with a user-defined route table.
NSG X on every subnet Requires that a specific network security group is used with every virtual subnet. You specify the ID of the network security group to use.
Use approved subnet for VM network interfaces Requires that network interfaces use an approved subnet. You specify the ID of the approved subnet.
Use approved vNet for VM network interfaces Requires that network interfaces use an approved virtual network. You specify the ID of the approved virtual network.

Network Security Groups

NSG X on every NIC Requires that a specific network security group is used with every virtual network interface. You specify the ID of the network security group to use.
NSG X on every subnet Requires that a specific network security group is used with every virtual subnet. You specify the ID of the network security group to use.

Express Route

Allowed Express Route bandwidth Requires that express routes use a specified set of bandwidths. You specify an array of SKUs that can be specified for Express Route.
Allowed Express Route SKUs Requires that Express Routes use an approved SKU. You specify an array of allowed SKUs.
Allowed Peering Location for Express Route Requires that Express Routes use specified peering locations. You specify an array of allowed peering locations.

Network Watchers

Audit if Network Watcher is not enabled for region Audits if network watcher is not enabled for a specified region. You specify the name of the region to check whether network watcher is enabled.

Application Gateways

Allowed Application Gateway SKUs Requires that application gateways use an approved SKU. You specify an array of approved SKUs.

SQL

SQL Servers

Audit no Azure Active Directory administrator Audit when there is no Azure Active Directory administrator assigned to the SQL server.
Audit Server level threat detection setting Audits SQL database security alert policies if those policies are not set to specified state. You specify a value that indicates whether threat detection is enabled or disabled.
Audit SQL Server audit settings Audits SQL server based on whether the audit settings are enabled.
Audit SQL Server Level Audit Setting Audits SQL server audit settings if those settings do not match a specified setting. You specify a value that indicates whether audit settings should be enabled or disabled.
Require SQL Server version 12.0 Requires SQL servers to use version 12.0.

SQL Databases

Allowed SQL DB SKUs Requires SQL databases use an approved SKU. You specify an array of allowed SKU IDs or an array of allowed SKU names.
Audit DB level threat detection setting Audits SQL database security alert policies if those policies are not set to specified state. You specify a value that indicates whether threat detection is enabled or disabled.
Audit SQL Database encryption Audits if SQL database does not have transparent data encryption enabled.
Audit SQL DB Level Audit Setting Audits SQL database audit settings if those settings do not match a specified setting. You specify a value that indicates whether audit settings should be enabled or disabled.
Audit transparent data encryption status Audits SQL database transparent data encryption if it is not enabled.

Storage

Allowed SKUs for Storage Accounts and Virtual Machines Requires that storage accounts and virtual machines use approved SKUs. Uses built-in policies to ensure approved SKUs. You specify an array of approved virtual machines SKUs, and an array of approved storage account SKUs.
Allowed storage account SKUs Requires that storage accounts use an approved SKU. You specify an array of approved SKUs.
Deny cool access tiering for storage accounts Prohibits the use of cool access tiering for blob storage accounts.
Ensure https traffic only for storage account Requires storage accounts to use HTTPS traffic.
Ensure storage file encryption Requires that file encryption is enabled for storage accounts.
Require storage account encryption Requires the storage account use blob encryption.

Next steps