Adding VM Instance View Details, e.g. osName, to the VM Resource Object JSON (for Custom Policy Use)
I'm requesting to add more details to the JSON of the VM resource object, particularly from the VM instance view data. This is to include operating system information, such as the name and version (osName and osVersion), for use in a custom Policy. Although these details are visible in the portal, they're not present in the VM's resource object, which is necessary for our custom policy.
Azure Policy - Seeking Guidance: Adding "Destination Table" to Built-In Azure Policy
Hi Team, I am sharing the existing Built-In Azure Policy that previously sent logs to Log Analytics Workspace. However, it currently lacks the option to choose "Destination Table" with selections such as "Azure Diagnostics" or "Resource Specific." I would like to include this option in the policy. Could you please advise on how to achieve this? Built-in Policy Name : Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics Policy Code { "mode": "Indexed", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "microsoft.network/applicationgateways" }, { "anyOf": [ { "value": "[first(parameters('resourceLocationList'))]", "equals": "*" }, { "field": "location", "in": "[parameters('resourceLocationList')]" } ] } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { "count": { "field": "Microsoft.Insights/diagnosticSettings/logs[*]", "where": { "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", "equals": "[equals(parameters('categoryGroup'), 'allLogs')]" }, { "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", "equals": "allLogs" } ] } }, "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", "equals": "[parameters('logAnalytics')]" } ] }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" ], "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "diagnosticSettingName": { "type": "string" }, "logAnalytics": { "type": "string" }, "categoryGroup": { "type": "String" }, "resourceName": { "type": "string" } }, "variables": {}, "resources": [ { "type": "microsoft.network/applicationgateways/providers/diagnosticSettings", "apiVersion": "2021-05-01-preview", "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]", "properties": { "workspaceId": "[parameters('logAnalytics')]", "logs": [ { "categoryGroup": "allLogs", "enabled": "[equals(parameters('categoryGroup'), 'allLogs')]" } ], "metrics": [] } } ], "outputs": { "policy": { "type": "string", "value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Application gateways (microsoft.network/applicationgateways), resourceName ', parameters('resourceName'), ' to Log Analytics ', parameters('logAnalytics'), ' configured')]" } } }, "parameters": { "diagnosticSettingName": { "value": "[parameters('diagnosticSettingName')]" }, "logAnalytics": { "value": "[parameters('logAnalytics')]" }, "categoryGroup": { "value": "[parameters('categoryGroup')]" }, "resourceName": { "value": "[field('name')]" } } } } } } }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "DeployIfNotExists", "AuditIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" }, "diagnosticSettingName": { "type": "String", "metadata": { "displayName": "Diagnostic Setting Name", "description": "Diagnostic Setting Name" }, "defaultValue": "setByPolicy-LogAnalytics" }, "categoryGroup": { "type": "String", "metadata": { "displayName": "Category Group", "description": "Diagnostic category group - none, audit, or allLogs." }, "allowedValues": [ "audit", "allLogs" ], "defaultValue": "audit" }, "resourceLocationList": { "type": "Array", "metadata": { "displayName": "Resource Location List", "description": "Resource Location List to send logs to nearby Log Analytics. A single entry \"*\" selects all locations (default)." }, "defaultValue": [ "*" ] }, "logAnalytics": { "type": "String", "metadata": { "displayName": "Log Analytics Workspace", "description": "Log Analytics Workspace", "strongType": "omsWorkspace", "assignPermissions": true } } } }
Azure Policy require multiple tags with values
I have a policy that requires specific tag with specific values (json below), but I want to require more tags within the same policy also with specific value and not sure how to do it... Is there a way to add more tags with specific values to the same policy? For example, I want to require two tags: environment with prod/non-prod and department with Infra/Finance Is it possible? Thank you! { "properties": { "displayName": "Require tag environment and its values on resources ", "policyType": "Custom", "mode": "Indexed", "description": "Enforces a required tag environment and its value. Does not apply to resource groups.", "metadata": { "category": "Tags", "createdBy": "" "createdOn": "" "updatedBy": "" "updatedOn": "" }, "version": "1.0.0", "parameters": { "tagName": { "type": "String", "metadata": { "displayName": "Tag Name1", "description": "Name of the tag, such as 'environment'" }, "allowedValues": [ "environment" ] }, "tagValue": { "type": "Array", "metadata": { "displayName": "Tag Value1", "description": "Value of the tag, such as 'production'" }, "allowedValues": [ "prod", "non-prod" ] } }, "policyRule": { "if": { "not": { "field": "[concat('tags[', parameters('tagName'), ']')]", "in": "[parameters('tagValue')]" } }, "then": { "effect": "deny" } }, "versions": [ "1.0.0" ] }, } }
Microsoft Cloud Security Benchmark policies not reporting in Defender for Cloud
We enable the MCSB security policy at our tenant level and manage compliance via Defender for Cloud. However, I have found that some of the policies are listed are not showing in the Defender for Cloud recommendations. For example, the policy "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled" is visible via Defender for Cloud>Environment Settings>Security Policies>MCSB and is linked to Policy Id 0c28c3fb-c244-42d5-a9bf-f35f2999577b. Within Azure Policy Compliance, I can find the policy in the assignment for MCSB and it reports both compliant and non-compliant resources in my tenant. However, there is nothing reported in Defender for Cloud for the policy under the Recommendations>All Recommendations. I have checked the filters applied and know it should be there - the similar policy is showing correctly (named "Azure SQL Managed Instance authentication mode should be Azure Active Directory Only" in the recommendation and security policies, and named "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation" in Azure Policy - 78215662-041e-49ed-a9dd-5385911b3a1f). Any suggestions on what could be causing this behaviour ? Regards Dominic
How to get Policy "Windows VMs should enable ADE or EncryptionAtHost." to be compliant?
Advisor noticed that Azure Disk Encryption is missing on my VMs and gave me the following recommendation: "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost." A couple of weeks ago I installed the AzurePolicyforWindows extension on one of the machines. Its status changed to compliant. Two days ago, I did the same for all other VMs but their statuses haven't changed. Am I missing something or are the policies messing with me?Azure Inherited roles, but still access denied
Hi, In e.g. Key Vault, when looking for the Access Control I can see that user account have custom contributor role inherited from the subscription level. When looking for the role more deeply it shows: "Showing 500 of 15937 permissions View all (will take a moment to load)" E.g. having the following permissions: Read Secret Properties and Write Secret. So all should be kind of okay..? 🙂 But when I'm looking for the e.g. secrets in the key vault, it gives me back "The operation is not allowed by RBAC." and "You are unauthorized to view these contents.". I thought there could be a "deny" rules, but nothing in there either. What could be the trick on here? What might be blocking or missing the access to the resources. Btw, I just tested, I was able to create the Key Vault by myself.
Microsoft's inconsistent implementation of tagging in Azure
We revamped our Azure resource tagging strategy several years ago and rely on them heavily for #Governance and #FinOps. We not only enforce #tags via #AzurePolicy, we also enforce tag values based on a set of permissible values for each tag. Even with that in place we experience some drift due to exclusions required in the policy definition or exemptions in the policy assignments. I won't get into why this flexibility is needed here, that's a whole separate discussion. Establishing a sound tag hygiene process becomes a vital component of your overall governance and FinOps strategies. One method we employ for tag hygiene is to surface the non-compliant resources in a #PowerBi report using an #AzureResourceGraph (ARG) query. Yes, you can do this in the Compliance section of Azure Policy as well however it lacks ease of use. For example, flipping back and forth between policies, filtering by subscriptions, surfacing other linked metadata is a cumbersome experience in the Azure Policy blade. Now onto my frustrations with how Microsoft has implemented tagging across Azure. 1. Inconsistent application of Tag case-sensitivity across tools - In Azure Policy and in the Azure portal, tag names are case-insensitive whereas tag values are case-sensitive. - In Azure Resource Graph Explorer, both tag names and tag values are case-sensitive. - Why is there inconsistency with case-sensitivity of tag names? 2. Inconsistent Tag validation across Resource Types - When deploying a Storage Account, Azure validates my tag policy before I am able to hit the create button (before it's submitted to ARM) whereas when deploying a resource like a Public IP Address, that validation only occurs after you hit the create button. This likely happens with other resource types as well. By the way, my tagging policy specifies "Indexed" for mode, so in effect it should apply to any and all resources that support tagging in Azure. - Why is does the evaluation of the tag policy differ based on the resource being deployed? 3. Inconsistent Tag UX across Resource Types - When deploying a Storage Account, the tags input is a drop-down list. However, when deploying an Azure Virtual Machine, the tags input is a textbox. Although the latter makes use of predictive text, it's still clearly a different experience. This inconsistency is found across multiple Azure resources. - Why is the tag UX different between resource types? I realize some of this is addressed or is less of a concern when using IaC but that may not be for everyone, or work in all scenarios. It would be great if Microsoft could standardize their implementation of tagging resources uniformly across the entire Azure estate. In my opinion I don't think that's a huge ask.
