-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Azure Policy Bot
committed
Feb 5, 2024
1 parent
370f8a3
commit 00ad49d
Showing
29 changed files
with
2,707 additions
and
595 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
661 changes: 539 additions & 122 deletions
661
...s/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_AutoAssessmentMode_Audit.json
Large diffs are not rendered by default.
Oops, something went wrong.
713 changes: 585 additions & 128 deletions
713
...icyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_CRP_AutoAssessmentMode_Modify.json
Large diffs are not rendered by default.
Oops, something went wrong.
730 changes: 602 additions & 128 deletions
730
...s/policyDefinitions/Azure Update Manager/AzUpdateMgmtCenter_ScheduledPatching_Deploy.json
Large diffs are not rendered by default.
Oops, something went wrong.
47 changes: 47 additions & 0 deletions
47
built-in-policies/policyDefinitions/Backup/AzBackupRecoveryServicesVault_MUA_Audit.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
{ | ||
"properties": { | ||
"displayName": "[Preview]: Multi-User Authorization (MUA) must be enabled for Recovery Services Vaults.", | ||
"policyType": "BuiltIn", | ||
"mode": "Indexed", | ||
"description": "This policy audits if Multi-User Authorization (MUA) is enabled for Recovery Services Vaults. MUA helps in securing your Recovery Services Vaults by adding an additional layer of protection to critical operations. To learn more, visit https://aka.ms/MUAforRSV.", | ||
"metadata": { | ||
"version": "1.0.0-preview", | ||
"preview": true, | ||
"category": "Backup" | ||
}, | ||
"version": "1.0.0-preview", | ||
"parameters": { | ||
"effect": { | ||
"metadata": { | ||
"description": "Enable or disable the execution of the policy.", | ||
"displayName": "Effect" | ||
}, | ||
"defaultValue": "Audit", | ||
"type": "String", | ||
"allowedValues": [ | ||
"Audit", | ||
"Disabled" | ||
] | ||
} | ||
}, | ||
"policyRule": { | ||
"then": { | ||
"effect": "[parameters('effect')]" | ||
}, | ||
"if": { | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.RecoveryServices/vaults" | ||
}, | ||
{ | ||
"field": "Microsoft.RecoveryServices/vaults/securitySettings.multiUserAuthorization", | ||
"notEquals": "Enabled" | ||
} | ||
] | ||
} | ||
} | ||
}, | ||
"id": "/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a", | ||
"name": "c7031eab-0fc0-4cd9-acd0-4497bd66d91a" | ||
} |
62 changes: 62 additions & 0 deletions
62
built-in-policies/policyDefinitions/Key Vault/Certificates_Issuers_AllowedCustomCAs.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
{ | ||
"properties": { | ||
"displayName": "[Preview]: Certificates should be issued by one of the specified non-integrated certificate authorities", | ||
"policyType": "BuiltIn", | ||
"mode": "Microsoft.KeyVault.Data", | ||
"description": "Manage your organizational compliance requirements by specifying custom or internal certificate authorities that can issue certificates in your key vault.", | ||
"metadata": { | ||
"version": "1.0.0-preview", | ||
"category": "Key Vault", | ||
"preview": true | ||
}, | ||
"version": "1.0.0-preview", | ||
"parameters": { | ||
"caCommonNames": { | ||
"type": "array", | ||
"metadata": { | ||
"displayName": "The common names of the certificate authorities which are allowed", | ||
"description": "The common names (CN) of the Certificate Authority (CA) provider which are allowed. For example, if certificate create with Certificate Authority CN = Contoso, OU = .., DC and parameter caCommonNames is set as ['Contoso', 'AnotherCA'] then the certificate create will be allowed because the certificate authority contains Contoso which is one of the parameter values" | ||
} | ||
}, | ||
"effect": { | ||
"type": "string", | ||
"metadata": { | ||
"displayName": "Effect", | ||
"description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy." | ||
}, | ||
"allowedValues": [ | ||
"Audit", | ||
"Deny", | ||
"Disabled" | ||
], | ||
"defaultValue": "Audit" | ||
} | ||
}, | ||
"policyRule": { | ||
"if": { | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.KeyVault.Data/vaults/certificates" | ||
}, | ||
{ | ||
"count": { | ||
"value": "[parameters('caCommonNames')]", | ||
"name": "caCommonName", | ||
"where": { | ||
"field": "Microsoft.KeyVault.Data/vaults/certificates/issuer.commonName", | ||
"contains": "[current('caCommonName')]" | ||
} | ||
}, | ||
"equals": 0 | ||
} | ||
] | ||
}, | ||
"then": { | ||
"effect": "[parameters('effect')]" | ||
} | ||
} | ||
}, | ||
"id": "/providers/Microsoft.Authorization/policyDefinitions/d3e82b87-6673-410b-8501-1896b688b9a3", | ||
"name": "d3e82b87-6673-410b-8501-1896b688b9a3" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
55 changes: 55 additions & 0 deletions
55
...n-policies/policyDefinitions/SQL/SqlManagedInstance_ADOnlyEnabled_DisableADAuth_Deny.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
{ | ||
"properties": { | ||
"displayName": "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled", | ||
"description": "Require Azure SQL Managed Instance to use Microsoft Entra-only authentication. This policy doesn't block Azure SQL Managed instances from being created with local authentication enabled. It does block local authentication from being enabled on resources after create. Consider using the 'Microsoft Entra-only authentication' initiative instead to require both. Learn more at: https://aka.ms/adonlycreate.", | ||
"policyType": "BuiltIn", | ||
"mode": "All", | ||
"metadata": { | ||
"version": "1.0.0", | ||
"category": "SQL" | ||
}, | ||
"version": "1.0.0", | ||
"parameters": { | ||
"effect": { | ||
"type": "String", | ||
"metadata": { | ||
"displayName": "Effect", | ||
"description": "Enable or disable the execution of the policy" | ||
}, | ||
"allowedValues": [ | ||
"Audit", | ||
"Deny", | ||
"Disabled" | ||
], | ||
"defaultValue": "Audit" | ||
} | ||
}, | ||
"policyRule": { | ||
"if": { | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications" | ||
}, | ||
{ | ||
"anyOf": [ | ||
{ | ||
"field": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/azureADOnlyAuthentication", | ||
"exists": false | ||
}, | ||
{ | ||
"field": "Microsoft.Sql/managedInstances/azureADOnlyAuthentications/azureADOnlyAuthentication", | ||
"equals": false | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
"then": { | ||
"effect": "[parameters('effect')]" | ||
} | ||
} | ||
}, | ||
"id": "/providers/Microsoft.Authorization/policyDefinitions/0c28c3fb-c244-42d5-a9bf-f35f2999577b", | ||
"name": "0c28c3fb-c244-42d5-a9bf-f35f2999577b" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.