An activity log alert should exist for specific Policy operations : Wrong category in the rules sec
Hi, I have "CIS Microsoft Azure Foundations Benchmark 1.1.0" assigned to my subscription and the policy "An activity log alert should exist for specific Policy operations" is non-compliant even though I created necessary alert rules. I noticed that the category for the necessary alert rules (allowed values in the policiy definition) is "Administrative" rather than "Policy" which is indicated in the policy rules. When I duplicate the policy and change the category into "Administrative" it becomes compliant but the built-in policy is not effected from this and the whole initiative stay non-compliant which also effects my compliance level for industry standards. What can I do to make this policy and initiative to be compliant and getting compliant with industry standards? Or should it be updated by the relevant team? { "properties": { "displayName": "An activity log alert should exist for specific Policy operations", "policyType": "BuiltIn", "mode": "All", "description": "This policy audits specific Policy operations with no activity log alerts configured.", "metadata": { "version": "2.0.0", "category": "Monitoring" }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "AuditIfNotExists", "Disabled" ], "defaultValue": "AuditIfNotExists" }, "operationName": { "type": "String", "metadata": { "displayName": "Operation Name", "description": "Policy Operation name for which activity log alert should exist" }, "allowedValues": [ "Microsoft.Authorization/policyAssignments/write", "Microsoft.Authorization/policyAssignments/delete" ] } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Resources/subscriptions" } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/ActivityLogAlerts", "existenceCondition": { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/enabled", "equals": "true" }, { "count": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]", "where": { "anyOf": [ { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "category" }, { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", "equals": "Policy" } ] }, { "allOf": [ { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "operationName" }, { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", "equals": "[parameters('operationName')]" } ] } ] } }, "equals": 2 }, { "not": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "category" } }, { "not": { "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", "equals": "operationName" } } ] } } } } }, "id": "/providers/Microsoft.Authorization/policyDefinitions/c5447c04-a4d7-4ba8-a263-c9ee321a6858", "type": "Microsoft.Authorization/policyDefinitions", "name": "c5447c04-a4d7-4ba8-a263-c9ee321a6858" } Kind regards, Sahin
Azure Policy - Find Ressources without Tags
Hello Community, it is possible to define a Policy to find Ressources without Tags? I would like to define this Policy to list all of Items at the "Compliance" Point at the Policy Tab. I have looked at the Definitions but i cant find this scenario. Did someone build an Policy about this scenario? Or can someone help me to build this Policy? Thanks a lot. Regards, Phil
Azure Policy - Enable Hybrid Use Benefit
Hello there. I'm struggling with a custom policy. My requirements are the following: Enable Hybrid Use Benefit for Microsoft.Compute/virtualMachines (properties.licenseType=Windows_Server) Work for both Marketplace and not-Marketplace virtual machines (ASRed, etc) Fix deployments that are done without it enabled Allow remediation of existing resources Initially I found Community Policy - deploy-hybrid-benefit-windows which works for Marketplace, but not for VMs without imagePublisher and imageOffer. I identified properties.storageProfile.osDisk.osType as another way to identify Windows machines. The full policy if below, but it only works for remediation, it does not work for new deployments. What am I doing wrong? I also found this issue, which suggests adding a licenseType to the If, but then the all resources are in compliance: https://github.com/Azure/azure-policy/issues/426 remediation does not work and new resources don't as well. Any help is very appreciated! { "displayName": "Deploy Azure Hybrid Benefit for Windows.", "mode": "Indexed", "description": "This policy ensures virtual machines are configured for Azure Hybrid Benefit for Windows Server - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing#ways-to-use-azure-hybrid-benefit-for-windows-server.", "metadata": { "category": "Compute", "version": "1.0.1" }, "parameters": { "effect": { "type": "string", "metadata": { "displayName": "Effects", "description": "Enable or disable the execution of the Policy." }, "allowedValues": [ "DeployIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" } }, "policyRule": { "if": { "allOf": [{ "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", "equals": "Windows" } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Compute/virtualMachines", "existenceCondition": { "allOf": [ { "field": "Microsoft.Compute/virtualMachines/licenseType", "equals": "Windows_Server" } ] }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" ], "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vmName": { "type": "String" }, "licenseType": { "defaultValue": "None", "type": "String", "allowedValues" : [ "None", "Windows_Server" ] } }, "variables": {}, "resources": [ { "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2021-03-01", "name": "[parameters('vmName')]", "location": "[resourceGroup().location]", "properties": { "licenseType": "[parameters('licenseType')]" } } ], "outputs": { "policy": { "type": "string", "value": "[concat('Changed LicenseType for Windows VM', ': ', parameters('vmName'), '- ', parameters('licenseType'))]" } } }, "parameters": { "vmName": { "value": "[field('name')]" }, "licenseType": { "value": "Windows_Server" } } } } } } } } Thanks, Joel.
Azure Policy (tags)
Hello, I am working on a policy that restricts tags to predefined values. As of now, i have that functionality but i also want to restrict the creation of adding new tags as well. I want the user to only have the ability to create tags from the predefined list of name and values otherwise, deny. Any assistance would be helpful, thanks in advance This what i have so far: { "mode": "All", "policyRule": { "if": { "allOf": [ { "not": { "allOf": [{ "field": "tags['OrgCode']", "exists": "true" }, { "field": "tags['OrgCode']", "notIn": "[parameters('OrgCode')]" } ] } }, { "not": { "allOf": [{ "field": "tags['Backuplevel']", "exists": "true" }, { "field": "tags['Backuplevel']", "notIn": "[parameters('Backuplevel')]" } ] } }, { "not": { "allOf": [{ "field": "tags['Environment']", "exists": "true" }, { "field": "tags['Environment']", "notIn": "[parameters('Environment')]" } ] } }, { "not": { "field": "tags.AppID", "exists": "true" } } ] }, "then": { "effect": "deny" } }, "parameters": { "OrgCode": { "type": "Array", "metadata": { "description": "Provides a charge code or cost center to attribute the bill for the resources too. Tag value: Cost Center. Example: team@domain.com" }, "allowedValues": [ "8510", "6000", "8310" ] }, "Backuplevel": { "type": "Array", "metadata": { "description": "Provides information on department or team is responsible for administering/supporting the application. Tag value: Team name/email. Example: 1506548" }, "allowedValues": [ "azzu-vim-cpp-1", "azu-vim-cpp-2", "azu-vim-cpp-3", "azu-vim-cpp-4", "azu-mssql-cpp-1", "azu-mssql-cpp-2", "azu-mssql-cpp-3", "azu-mssql-cpp-4", "azu-odb-cpp-1", "azu-odb-cpp-2", "azu-odb-cpp-3", "azu-odb-cpp-4", "azu-no-backup" ] }, "Environment": { "type": "Array", "metadata": { "description": "Provides information on what the resource group is used for (useful for maintenance, policy enforcement, chargeback, etc.) Tag value: Dev, QA, Stage, Test, Prod. Example: Prod" }, "allowedValues": [ "Production", "Test", "Stage", "DR" ] } } }Allowed resource types: Microsoft.Web/sites/privateEndpointConnectionProxies not available
Hi Microsoft Team, We have started implementing some governance policies across our organization. One of the policies that we are trying to implement is Allowed resource types. We want to allow only certain types of resources to be spun up on our subscriptions. When we applied this policy we have enabled all Microsoft.Web (including sites) but we are facing an issue when creating an app service with private endpoint. Its failing on Microsoft.Web/sites/privateEndpointConnectionProxies. We have checked the policy parameters are there doesn't seem to be a way We have enabled all Microsoft.Web (including sites), but do not see a way to add privateEndpointConnectionProxies as it does not show up in the parameter list to select when we apply the policy. Any thoughts?Audit Linux machines that have accounts without passwords - usernames with periods
Hi All, I hope this is the right place to ask this. This recommendation has shown up in the Defender for Cloud in the last few weeks. Having checked that all our accounts have passwords I took a look at the script this test is running it appears it is failing because our usernames have "." in them. I wanted to prove this was the case so, I temporarily update the regex in the script from... '^(?<username>[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$))' ... to ... '^(?<username>[a-z_]([\.a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$))' ... the tests pass against our configuration. After a bit of research it seems that it depends on the Linux distribution as to which characters are allowed. But the POSIX specification allows for the period in the name. Also the Azure portal doesn't allow periods, but deploying via an ARM template does (the latter being what we are doing). I can remove the period from most of our usernames, the exception being the main admin account which was created by the Azure processes. I've not been able to find a means to change this. If I update the ARM template it tells me this option can't be changed. Any recommendations would be great. Either with an update to the policy script to allow for periods as this is allowable on some Linux distributions. Or a means to change the admin username that is supplied in the ARM template. Thanks in advance Paul
Anybody know how to create a custom policy to deny public network access to PaaS services
I know there is an audit components to PaaS resources to deny public network but is there a way to deny instead of audit the denial of public network? Or does anybody know how to create a custom policy for this ask?
