Azure Policy built-in definitions for Azure Stream Analytics

This page is an index of Azure Policy built-in policy definitions for Azure Stream Analytics. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure Stream Analytics

Name (Azure portal)	Description	Effect(s)	Version (GitHub)
Azure Stream Analytics jobs should use customer-managed keys to encrypt data	Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.	audit, Audit, deny, Deny, disabled, Disabled	1.1.0
Deploy Diagnostic Settings for Stream Analytics to Event Hub	Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated.	DeployIfNotExists, Disabled	2.0.0
Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace	Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated.	DeployIfNotExists, Disabled	1.0.0
Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Event Hub	Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs).	DeployIfNotExists, AuditIfNotExists, Disabled	1.0.0
Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Log Analytics	Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs).	DeployIfNotExists, AuditIfNotExists, Disabled	1.0.0
Enable logging by category group for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs) to Storage	Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Stream Analytics jobs (microsoft.streamanalytics/streamingjobs).	DeployIfNotExists, AuditIfNotExists, Disabled	1.0.0
Resource logs in Azure Stream Analytics should be enabled	Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised	AuditIfNotExists, Disabled	5.0.0
Stream Analytics job should connect to trusted inputs and outputs	Ensure that Stream Analytics jobs do not have arbitrary Input or Output connections that are not defined in the allow-list. This checks that Stream Analytics jobs don't exfiltrate data by connecting to arbitrary sinks outside your organization.	Deny, Disabled, Audit	1.1.0
Stream Analytics job should use managed identity to authenticate endpoints	Ensure that Stream Analytics jobs only connect to endpoints using managed identity authentication.	Deny, Disabled, Audit	1.0.0

Next steps

• See the built-ins on the Azure Policy GitHub repo.
• Review the Azure Policy definition structure.
• Review Understanding policy effects.