-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Built-in Policy Release 8feb5a11 (#1285)
Co-authored-by: Azure Policy Bot <azgovpolicy@microsoft.com>
- Loading branch information
1 parent
eab2188
commit 1c5f290
Showing
34 changed files
with
1,061 additions
and
143 deletions.
There are no files selected for viewing
63 changes: 63 additions & 0 deletions
63
...olicies/policyDefinitions/Azure Ai Services/CognitiveServices_DisableLocalAuth_Audit.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
{ | ||
"properties": { | ||
"displayName": "Azure AI Services resources should have key access disabled (disable local authentication)", | ||
"policyType": "BuiltIn", | ||
"mode": "Indexed", | ||
"description": "Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth", | ||
"metadata": { | ||
"version": "1.1.0", | ||
"category": "Azure Ai Services" | ||
}, | ||
"version": "1.1.0", | ||
"parameters": { | ||
"effect": { | ||
"type": "String", | ||
"defaultValue": "Audit", | ||
"allowedValues": [ | ||
"Audit", | ||
"Deny", | ||
"Disabled" | ||
], | ||
"metadata": { | ||
"displayName": "Effect", | ||
"description": "Enable or disable the execution of the policy" | ||
} | ||
} | ||
}, | ||
"policyRule": { | ||
"if": { | ||
"anyOf": [ | ||
{ | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.CognitiveServices/accounts" | ||
}, | ||
{ | ||
"field": "Microsoft.CognitiveServices/accounts/disableLocalAuth", | ||
"notEquals": true | ||
} | ||
] | ||
}, | ||
{ | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.Search/searchServices" | ||
}, | ||
{ | ||
"field": "Microsoft.Search/searchServices/disableLocalAuth", | ||
"notEquals": true | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
"then": { | ||
"effect": "[parameters('effect')]" | ||
} | ||
} | ||
}, | ||
"id": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", | ||
"name": "71ef260a-8f18-47b7-abcb-62d0673d94dc" | ||
} |
67 changes: 67 additions & 0 deletions
67
...-in-policies/policyDefinitions/Azure Ai Services/CognitiveServices_NetworkAcls_Audit.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
{ | ||
"properties": { | ||
"displayName": "Azure AI Services resources should restrict network access", | ||
"policyType": "BuiltIn", | ||
"mode": "Indexed", | ||
"description": "By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service.", | ||
"metadata": { | ||
"version": "3.1.0", | ||
"category": "Azure Ai Services" | ||
}, | ||
"version": "3.1.0", | ||
"parameters": { | ||
"effect": { | ||
"type": "string", | ||
"defaultValue": "Audit", | ||
"allowedValues": [ | ||
"Audit", | ||
"Deny", | ||
"Disabled" | ||
], | ||
"metadata": { | ||
"displayName": "Effect", | ||
"description": "The effect determines what happens when the policy rule is evaluated to match" | ||
} | ||
} | ||
}, | ||
"policyRule": { | ||
"if": { | ||
"anyOf": [ | ||
{ | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.CognitiveServices/accounts" | ||
}, | ||
{ | ||
"field": "Microsoft.CognitiveServices/accounts/publicNetworkAccess", | ||
"notEquals": "Disabled" | ||
}, | ||
{ | ||
"field": "Microsoft.CognitiveServices/accounts/networkAcls.defaultAction", | ||
"notEquals": "Deny" | ||
} | ||
] | ||
}, | ||
{ | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.Search/searchServices" | ||
}, | ||
{ | ||
"field": "Microsoft.Search/searchServices/networkRuleSet.ipRules[*]", | ||
"exists": "false" | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
"then": { | ||
"effect": "[parameters('effect')]" | ||
} | ||
} | ||
}, | ||
"id": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", | ||
"name": "037eea7a-bd0a-46c5-9a66-03aea78705d3" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
47 changes: 0 additions & 47 deletions
47
...licies/policyDefinitions/Cognitive Services/CognitiveServices_DisableLocalAuth_Audit.json
This file was deleted.
Oops, something went wrong.
47 changes: 0 additions & 47 deletions
47
...in-policies/policyDefinitions/Cognitive Services/CognitiveServices_NetworkAcls_Audit.json
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.