Microsoft's inconsistent implementation of tagging in Azure
We revamped our Azure resource tagging strategy several years ago and rely on them heavily for #Governance and #FinOps. We not only enforce #tags via #AzurePolicy, we also enforce tag values based on a set of permissible values for each tag. Even with that in place we experience some drift due to exclusions required in the policy definition or exemptions in the policy assignments. I won't get into why this flexibility is needed here, that's a whole separate discussion. Establishing a sound tag hygiene process becomes a vital component of your overall governance and FinOps strategies. One method we employ for tag hygiene is to surface the non-compliant resources in a #PowerBi report using an #AzureResourceGraph (ARG) query. Yes, you can do this in the Compliance section of Azure Policy as well however it lacks ease of use. For example, flipping back and forth between policies, filtering by subscriptions, surfacing other linked metadata is a cumbersome experience in the Azure Policy blade. Now onto my frustrations with how Microsoft has implemented tagging across Azure. 1. Inconsistent application of Tag case-sensitivity across tools - In Azure Policy and in the Azure portal, tag names are case-insensitive whereas tag values are case-sensitive. - In Azure Resource Graph Explorer, both tag names and tag values are case-sensitive. - Why is there inconsistency with case-sensitivity of tag names? 2. Inconsistent Tag validation across Resource Types - When deploying a Storage Account, Azure validates my tag policy before I am able to hit the create button (before it's submitted to ARM) whereas when deploying a resource like a Public IP Address, that validation only occurs after you hit the create button. This likely happens with other resource types as well. By the way, my tagging policy specifies "Indexed" for mode, so in effect it should apply to any and all resources that support tagging in Azure. - Why is does the evaluation of the tag policy differ based on the resource being deployed? 3. Inconsistent Tag UX across Resource Types - When deploying a Storage Account, the tags input is a drop-down list. However, when deploying an Azure Virtual Machine, the tags input is a textbox. Although the latter makes use of predictive text, it's still clearly a different experience. This inconsistency is found across multiple Azure resources. - Why is the tag UX different between resource types? I realize some of this is addressed or is less of a concern when using IaC but that may not be for everyone, or work in all scenarios. It would be great if Microsoft could standardize their implementation of tagging resources uniformly across the entire Azure estate. In my opinion I don't think that's a huge ask.How to export Azure Compliance Data for NIST 800-53 r4 in a PDF format
I am doing security audit and have to provide recommendations to my customer based on the Audit outcome. I have created a NIST 800-53 R4 Policy Initiative and assigned it to few subscriptions. So i would like to export this compliance report now in the form of a PDF or a CSV. How is that possible? I don't see any option to export the compliance report. You get this option in Azure Security Center for CIS, PCI DSS, SOC TSP and ISO 27001. I want something like that in Azure Policy. Can anyone help me with this or provide some pointers. Thanks
Azure Policy - Configure backup on virtual machines with a given tag
I wonder if somebody could sanity check something for me with this please in case it's something I could be missing. We have this existing policy configured in a customers tenant (https://www.azadvertizer.net/azpolicyadvertizer/345fa903-145c-4fe1-8bcd-93ec2adccde8.html After creating a VM and allocating the correct tag etc. it didn't automatically have the backup policy assigned to it. With the policy assignment itself it didn't even appear as a non-compliant resource. I went through the checks to make sure it was the same region, correct tag, correct rsv and policy, which all appeared to look fine. When remediating it still wasn't pulling the resource through. When I went into the definition detail to see what could be amiss, I noticed the list of WindowServer image SKU's that were listed (image attached here https://i.stack.imgur.com/1YPpM.png. As I was sanity checking everything, I looked at the VM to see that the SKU wasn't actually in this list (2019-datacenter-smalldisk-g2). As every SKU is listed specifically it makes me think this image has just been missed off and needs adding? Rather than it getting captured by one of the SKU's listed. I can add the VM manually to the existing RSV for now but for future ref, is there a way I can raise this if my findings are indeed correct?
Policy trigger for Microsoft.Network/virtualNetworks/subnets/join/action
Hello Team, I have a use case where I do not want any resource to connect to my VNET except a few allowed ones. We are designing a secured containerized environment for our customers with very strict access control policies. However, we are not seeing the policy triggered for the network join operation. For testing purpose, I used the following policy just to capture and deny all the operations on virtual network and assigned this policy to the resource group scope where my VNET is present: - { "mode": "All", "policyRule": { "if": { "field": "type", "equals": "Microsoft.Network/virtualNetworks" }, "then": { "effect": "deny" } } } After this policy is assigned to my resource group, I am not able to create a VNETs in my resource group, however, I am still able to join an existing VNET in this resource group. Looks like policy is not even getting evaluated/triggered for the network join action. Can you please suggest how can we deny this action?
How to create a custom audit policy with more than one parameter
I was looking for a way to create an audit policy to check whether two resource tags exist, and flag which resources are non-compliant with this. In this post, I give you the final policy JSON and step you through the process of taking what you know, to apply it to something new: https://techcommunity.microsoft.com/t5/itops-talk-blog/how-to-build-an-audit-azure-policy-with-multiple-parameters/ba-p/1866062?WT.mc_id=modinfra-10601-socuff -Sonia
An activity log alert should exist for specific Policy operations : Wrong category in the rules sec
Hi, I have "CIS Microsoft Azure Foundations Benchmark 1.1.0" assigned to my subscription and the policy "An activity log alert should exist for specific Policy operations" is non-compliant even though I created necessary alert rules. I noticed that the category for the necessary alert rules (allowed values in the policiy definition) is "Administrative" rather than "Policy" which is indicated in the policy rules. When I duplicate the policy and change the category into "Administrative" it becomes compliant but the built-in policy is not effected from this and the whole initiative stay non-compliant which also effects my compliance level for industry standards. What can I do to make this policy and initiative to be compliant and getting compliant with industry standards? Or should it be updated by the relevant team? { "properties": { "displayName": "An activity log alert should exist for specific Policy operations", "policyType": "BuiltIn", "mode": "All", "description": "This policy audits specific Policy operations with no activity log alerts configured.", "metadata": { "version": "2.0.0", "category": "Monitoring" }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "operationName": { "type": "String", "metadata": { "displayName": "Operation Name", "description": "Policy Operation name for which activity log alert should exist" }, "allowedValues": [ "Microsoft.Authorization/policyAssignments/write", "Microsoft.Authorization/policyAssignments/delete" ] } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions" } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/ActivityLogAlerts", "existenceCondition": { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/enabled", "equals": "true" }, { "count": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]", "where": { "anyOf": [ { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "category" }, { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", "equals": "Policy" } ] }, { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "operationName" }, { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", "equals": "[parameters('operationName')]" } ] } ] } }, "equals": 2 }, { "not": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "category" } }, { "not": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "operationName" } } ] } } } } }, "id": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858", "type": "Microsoft.Authorization/policyDefinitions", "name": "c5447c04-a4d7-4ba8-a263-c9ee321a6858" } Kind regards, SahinAnybody know how to create a custom policy to deny public network access to PaaS services
I know there is an audit components to PaaS resources to deny public network but is there a way to deny instead of audit the denial of public network? Or does anybody know how to create a custom policy for this ask?
