Azure
/
Enterprise-Scale
зеркало из https://github.com/Azure/Enterprise-Scale.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

add new column 'Category ' (#598) 

Added a new column Category to  `ESLZ Custom Policy Definitions`
This commit is contained in:
Zach 2021-06-07 21:49:32 +02:00 коммит произвёл GitHub
Родитель e7b15adb37
Коммит f457b5fc0e
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 136 добавлений и 137 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

273
docs/ESLZ-Policies.md
Просмотреть файл

@ -2,148 +2,147 @@
Azure Policy and deployIfNotExist enables the autonomy in the platform, and reduces the operational burden as you scale your deployments and subscriptions in the Enterprise-Scale architecture. The primary purpose is to ensure that subscriptions and resources are compliant, while empowering application teams to use their own preferred tools/clients to deploy.
## Why are there custom policy definitions as part of Enterprise-Scale Landing Zones?
## Why are there custom policy definitions as part of Enterprise-Scale Landing Zones
We work with - and learn from our customers and partners to ensure that we evolve and enhance the reference implementations to meet customer requirements. The primary approach of the policies as part of Enterprise-Scale is to be proactive (deployIfNotExist, and modify), and preventive (deny), and we are continuously moving these policies to built-ins.
The following tables shows:
* [Custom policyDefinitions](#eslz-custom-policy-definitions) included in the Enterprise-Scale reference implementations
* [Custom policySetDefinitions](#eslz-custom-policy-set-definitions) (Policy Initiatives) included in the Enterprise-Scale reference implementations
* [Policy assignments of built-in policies](#eslz-policy-assignments-for-built-in-policy-definitions-and-policy-set-definitions) in Enterprise-Scale reference implementations
- The following tables shows:
* [ESLZ Custom Policy Definitions](#eslz-custom-policy-definitions) included in the Enterprise-Scale reference implementations
* [ESLZ Custom Policy Set Definitions](#eslz-custom-policy-set-definitions) (Policy Initiatives) included in the Enterprise-Scale reference implementations
* [ESLZ Policy Assignments for built-in policy definitions and policy set definitions](#eslz-policy-assignments-for-built-in-policy-definitions-and-policy-set-definitions) in Enterprise-Scale reference implementations
## ESLZ Custom Policy Definitions
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version | State | Can optionally be assigned when deploying ESLZ | Assignment scope
|---|---|---|---|---|---|---|
|Deploy Windows Domain Join Extension with Key Vault configuration |Deploys VM extension to join Windows machines to Active Directory domain, where keys are stored and retrieved from a centralized managed Key Vault |deployIfNotExist, disabled |1.0.0 | Custom policy | No | Landing Zone Management Group
|Deploys virtual network peering to hub |Deploys a virtual network with an address space, and optionally custom DNS, and will peer to the connectivity hub in the specified region |deployIfNotExist, disabled |1.0.0 | Custom policy | Yes, recommended, in Adventure Works | Directly on the subscriptions
|Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS |Deploy a specific min TLS version requirement and enforce SSL on Azure Storage | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
| SQL managed instances deploy a specific min tls version requirement | Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
| Deploy SQL Database vulnerability assessments | Deploys and configures SQL Databases vulnerability assessments to the provided storage account | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
| Deploy SQL Database TDE | Deploys SQL Database Transparent Data Encryption setting for Azure SQL databases | deployIfNotExists, disabled | 1.0.0 | Custom Policy | Yes, recommended | Landing Zone Management Group
| Deploy SQL Database security alert policies configuration | Deploy the security Alert Policies configuration with email admin accounts when it does not exist in current configuration | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group
| SQL server - deploys a specific min TLS version requirement | Deploy a specific min TLS version requirement and enforce SSL on Azure SQL | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
| Deploy SQL database auditing settings | Deploy and enable the SQL audit configuration to SQL databases | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
| Azure Database for PostgreSQL - deploys a specific min TLS version requirement | Deploys a specific min TLS version requirement and enforce SSL on Azure DB for PostgreSQL | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
|Deploy NSG flow logs and traffic analytics to Log Analytics | Deploys Network Security Group flow logs and enables traffic analytics to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group
| Deploys NSG flow logs and traffic analytics | Deploys Network Security Group flow logs and enables traffic analytics to a storage account | deployIfNotExists, disabled | 1.0.0 | Deprecated | No
| Azure Database for MySql server - deploys a specific min TLS version requirement | Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySql Server | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
| Deploy Log Analytics workspace | Deploys Log Analytics workspace to an Azure subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Management, Management Group
| Deploy the configuration to the Log Analytics workspace in the subscription | Deploys configuration for the Log Analytics workspace into an Azure subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Management, Management group
| Deploy Azure Firewall Manager policy in a subscription | Deploys the Azure Firewall Manager policy in an Azure subscription | deployIfNotExists, disabled | 1.0.0 | Deprecated | No | N/A
| Deploy DNS Zone Group for Storage-Table Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Table Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group
| Deploy DNS Zone Group for SQL Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for SQL Private Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group
| Deploy DNS Zone Group for Storage-Queue Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Queue Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group
| Deploy DNS Zone Group for Key Vault Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Key Vault Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group
| Deploy DNS Zone Group for Storage-File Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-File Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled |1.0.0 | Custom policy | No | Landing Zone Management Group
| Deploy DNS Zone Group for Storage-Blob Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Blob Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled |1.0.0 | Custom policy | No | Landing Zone Management Group
| Deploy Diagnostics settings for WVD Workspace to Log Analytics workspace | Deploys the diagnostics settings for Windows Virtual Desktop workspace, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for WVD Host Pools to Log Analytics workspace | Deploys the diagnostics settings for Windows Virtual Desktop host pools, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for WVD Application group to Log Analytics workspace | Deploys the diagnostics settings for Windows Virtual Desktop application group, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for App Service to Log Analytics workspace | Deploys the diagnostics settings for App Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for App Service Plan to Log Analytics workspace | Deploys the diagnostics settings for App Services Plan, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for VPN Gateway to Log Analytics workspace | Deploys the diagnostics settings for VPN Gateway, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Virtual Machine Scale Sets to Log Analytics workspace | Deploys the diagnostics settings for Virtual Machine Scale sets, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Virtual Machines to Log Analytics workspace | Deploys the diagnostics settings for Virtual Machines, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Virtual Network to Log Analytics workspace | Deploys the diagnostics settings for Virtual Networks, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Traffic Manager to Log Analytics workspace | Deploys the diagnostics settings for Traffic Manager, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Time Series Insights to Log Analytics workspace | Deploys the diagnostics settings for Time Series Insight, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostics settings for Stream Analytics, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for SQL Managed Instance to Log Analytics workspace | Deploys the diagnostics settings for SQL Managed Instances, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for SQL Elastic Pools to Log Analytics workspace | Deploys the diagnostics settings for SQL Elastic Pools, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for SQL Databases to Log Analytics workspace | Deploys the diagnostics settings for SQL Databases, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for SignalR to Log Analytics workspace | Deploys the diagnostics settings for SignalR, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Service Bus Namespaces to Log Analytics workspace | Deploys the diagnostics settings for Service Bus namespaces, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Search Services to Log Analytics workspace | Deploys the diagnostics settings for Search Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Relay to Log Analytics workspace | Deploys the diagnostics settings for SQL Relay, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Redis Cache to Log Analytics workspace | Deploys the diagnostics settings for Redis Cache, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Power BI Embedded to Log Analytics workspace | Deploys the diagnostics settings for Power BI Embedded, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Database for MySql to Log Analytics workspace | Deploys the diagnostics settings for Database for MySql, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Database for PostgreSQL to Log Analytics workspace | Deploys the diagnostics settings for Database for PostgreSQL, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for MariaDb to Log Analytics workspace | Deploys the diagnostics settings for Database for MariaDb, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Network Interface to Log Analytics workspace | Deploys the diagnostics settings for Power Network Interface, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Network Security Groups to Log Analytics workspace | Deploys the diagnostics settings for Network Security Groups, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Machine Learning to Log Analytics workspace | Deploys the diagnostics settings for Machine Learning, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Recovery Services to Log Analytics workspace | Deploys the diagnostics settings for Recovery Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Network Security Groups to Log Analytics workspace | Deploys the diagnostics settings for Network Security Groups, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Azure Media Services to Log Analytics workspace | Deploys the diagnostics settings for Azure Media Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Logic Apps workflow to Log Analytics workspace | Deploys the diagnostics settings for Logic Apps workflows, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Logic Apps integration service environment to Log Analytics workspace | Deploys the diagnostics settings for Logic Apps integration service environment, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Load Balancer to Log Analytics workspace | Deploys the diagnostics settings for Load Balancers, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Key Vault to Log Analytics workspace | Deploys the diagnostics settings for Key Vaults, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for IoT Hub to Log Analytics workspace | Deploys the diagnostics settings for IoT Hubs, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for HDInsight to Log Analytics workspace | Deploys the diagnostics settings for HDInsights, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Azure Functions to Log Analytics workspace | Deploys the diagnostics settings for Azure Functions, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Front Door to Log Analytics workspace | Deploys the diagnostics settings for Front Door, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Firewall to Log Analytics workspace | Deploys the diagnostics settings for Firewalls, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for ExpressRoute to Log Analytics workspace | Deploys the diagnostics settings for ExpressRoute, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Event Hub to Log Analytics workspace | Deploys the diagnostics settings for Event Hubs, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Event Grid Topic to Log Analytics workspace | Deploys the diagnostics settings for Event Grid Topics, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Event Grid Subscriptions to Log Analytics workspace | Deploys the diagnostics settings for Event Grid Subscriptions, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Event Grid System Topic to Log Analytics workspace | Deploys the diagnostics settings for Event Grid System Topics, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Data Lake to Log Analytics workspace | Deploys the diagnostics settings for Data Lake, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Azure Data Lake store to Log Analytics workspace | Deploys the diagnostics settings for Azure Data Lake store, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Data Factory to Log Analytics workspace | Deploys the diagnostics settings for Data Factory, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Azure Data Explorer Cluster to Log Analytics workspace | Deploys the diagnostics settings for Azure Data Explorer Cluster, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Databricks store to Log Analytics workspace | Deploys the diagnostics settings for Databricks, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Cosmos DB to Log Analytics workspace | Deploys the diagnostics settings for CosmosDB, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Cognitive Services to Log Analytics workspace | Deploys the diagnostics settings for Cognitive Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for CDN Endpoint to Log Analytics workspace | Deploys the diagnostics settings for CDN Endpoints, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Batch to Log Analytics workspace | Deploys the diagnostics settings for Batch, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Application Gateway to Log Analytics workspace | Deploys the diagnostics settings for Application Gateways, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for API Management to Log Analytics workspace | Deploys the diagnostics settings for API Management, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Azure API for FHIR to Log Analytics workspace | Deploys the diagnostics settings for Azure API for FHIR, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Analysis Services for FHIR to Log Analytics workspace | Deploys the diagnostics settings for Analysis Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Kubernetes Service to Log Analytics workspace | Deploys the diagnostics settings for Kubernetes Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Container Registry to Log Analytics workspace | Deploys the diagnostics settings for Container Registries, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Container Instance to Log Analytics workspace | Deploys the diagnostics settings for Container Instances, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Diagnostics settings for Automation to Log Analytics workspace | Deploys the diagnostics settings for Automation Accounts, and connects to a Log Analytics workspace | deployIfNotExists, disabled |1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy a user-defined route to a VNET with specific routes | Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Corp and Online Management Group
| Deploy an Azure DDoS Protection Standard plan | Deploys and creates the DDoS Protection Standard plan into the connectivity subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended, in Adventure Works | Connectivity Management Group
| Deploy a default budget on all subscriptions under the assigned scope | Deploy a default budget to limit cost/usage, or to simply track usage | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Sandboxes Management Group
| Deploy Azure Security Center Security Contacts | Deploys default security contacts for ASC on the Azure subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for Virtual Machines | Deploys and enable Azure Defender for Virtual Machines on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for Sql on Virtual Machines | Deploys and enable Azure Defender for Sql on Virtual Machines on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for Azure Sql Databases | Deploys and enable Azure Defender for Azure Sql Databases on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for Storage Accounts | Deploys and enable Azure Defender for Sql on Storage Accounts on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for DNS | Deploys and enable Azure Defender for DNS on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for ARM | Deploys and enable Azure Defender for Azure Resource Manager on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for App Services | Deploys and enable Azure Defender for App Services on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for AKV | Deploys and enable Azure Defender for Azure Key Vault on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for AKS | Deploys and enable Azure Defender for Azure Kubernetes on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deploy Azure Defender for ACR | Deploys and enable Azure Defender for Azure Container Registries on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group
| Deny vNet peering | Denies creation of vnet peering | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Sandboxes Management Group
| Deny vNet peering cross subscription | Denies the creation of vnet peering outside of the same subscription | deny, audit, disabled | 1.0.0 | Custom policy | No | Sandboxes Management Group
| Subnets should have a User Defined Route | Denies the creation of a subnet without having a User-Defined Route | deny, audit, disabled | 1.0.0 | Custom policy | No
| Subnets should have a Network Security Group | Denies the creation of a subnet that is not associated with a Network Security Group | deny, audit, disabled | 1.0.0 | Custom policy | No | Landing Zones Management Group
| Storage Account set to minimum TLS and Secure transfer should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| SQL Managed Instance should have the minimal TLS version set to the highest version | etting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| Azure SQL Database should have the minimal TLS version set to the highest version | Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| Azure Cache for Redis only secure connections should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| RDP access from the Internet should be blocked | Denies any network security rule that allows RDP access from Internet | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group, Identity Management Group
| Deny creation of Public IP Addresses | Denies creation of public IP addresses | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Public network access on Storage Accounts should be disabled | Denies creation of storage accounts using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Public network access on Azure SQL Database should be disabled | Denies creation of SQL databases using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Public network access should be disabled for MySql| Denies creation of MySql using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Public network access should be disabled for PostgreSql| Denies creation of PostgreSql using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Public network access should be disabled for Maria DB| Denies creation of MariaDb using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Public network access should be disabled for Key Vault| Denies creation of KeyVault using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Public network access should be disabled for Cosmos DB| Denies creation of Cosmos DB using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Public network access on AKS API should be disabled | Denies creation of AKS non-private clusters | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group
| Deny creation of Private DNS | Denies creation of private DNS, and should be used in combination with policies that create centralized private DNS in connectivity subscription | deny, audit, disabled | 1.0.0 | Custom policy | No | Corp Management Group
| PostgreSQL database servers enforce SSL connection | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| MySQL database servers enforce SSL connections | Azure Database for MySql supports connecting your Azure Database for MySql server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| Web Application should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
| Application Gateway should be deployed with WAF enabled | Denies creation of Application Gateways when WAF is not enabled | deny, audit, disabled | 1.0.0 | Custom policy | No | Landing Zones Management Group
| No child resources in Automation account | Denies creation of child resources (variables, runbooks etc.) in an Automation Account | deny, audit, disabled | 1.0.0 | Custom policy | No | Management, Management Group
| Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS | Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server | append, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
|Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server | append, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group
| KeyVault SoftDelete should be enabled | Ensures that Key Vaults are created with soft-delete enabled | append | 1.0.0 | Custom policy | No | Intermediate Root Management Group
| AppService append sites with minimum TLS version to enforce | Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version | append, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
| AppService append enable https only setting to enforce https setting | Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks | append, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group
|**Name**<br /><sub>(Azure portal)</sub> | <div style="width:1000px">**Description**</div> | **Effect(s)** | **Version** | **State** | **Can optionally be assigned when deploying ESLZ** | **Assignment scope** | **Category** |
|---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|
| Web Application should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | App Service |
| Function App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | App Service |
| API App should only be accessible over HTTPS | Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | App Service |
| AppService append sites with minimum TLS version to enforce | Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version | append, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | App Service |
| AppService append enable https only setting to enforce https setting | Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks | append, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | App Service |
| No child resources in Automation account | Denies creation of child resources (variables, runbooks etc.) in an Automation Account | deny, audit, disabled | 1.0.0 | Custom policy | No | Management, Management Group | Automation |
| Deploy a default budget on all subscriptions under the assigned scope | Deploy a default budget to limit cost/usage, or to simply track usage | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Sandboxes Management Group | Budget |
| Azure Cache for Redis only secure connections should be enabled | Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | Cache |
| Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS | Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server | append, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | Cache |
| Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled | Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server | append, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | Cache |
| Deploy Windows Domain Join Extension with Key Vault configuration | Deploys VM extension to join Windows machines to Active Directory domain, where keys are stored and retrieved from a centralized managed Key Vault | deployIfNotExist, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | Guest Configuration |
| Public network access should be disabled for Key Vault | Denies creation of KeyVault using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | Key Vault |
| KeyVault SoftDelete should be enabled | Ensures that Key Vaults are created with soft-delete enabled | append | 1.0.0 | Custom policy | No | Intermediate Root Management Group | Key Vault |
| Public network access on AKS API should be disabled | Denies creation of AKS non-private clusters | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | Kubernetes |
| Deploy NSG flow logs and traffic analytics to Log Analytics | Deploys Network Security Group flow logs and enables traffic analytics to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | Monitoring |
| Deploys NSG flow logs and traffic analytics | Deploys Network Security Group flow logs and enables traffic analytics to a storage account | deployIfNotExists, disabled | 1.0.0 | Deprecated | No | | Monitoring |
| Deploy the configuration to the Log Analytics workspace in the subscription | Deploys configuration for the Log Analytics workspace into an Azure subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Management, Management group | Monitoring |
| Deploy Diagnostics settings for WVD Workspace to Log Analytics workspace | Deploys the diagnostics settings for Windows Virtual Desktop workspace, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for WVD Host Pools to Log Analytics workspace | Deploys the diagnostics settings for Windows Virtual Desktop host pools, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for WVD Application group to Log Analytics workspace | Deploys the diagnostics settings for Windows Virtual Desktop application group, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for App Service to Log Analytics workspace | Deploys the diagnostics settings for App Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for App Service Plan to Log Analytics workspace | Deploys the diagnostics settings for App Services Plan, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for VPN Gateway to Log Analytics workspace | Deploys the diagnostics settings for VPN Gateway, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Virtual Machine Scale Sets to Log Analytics workspace | Deploys the diagnostics settings for Virtual Machine Scale sets, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Virtual Machines to Log Analytics workspace | Deploys the diagnostics settings for Virtual Machines, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Virtual Network to Log Analytics workspace | Deploys the diagnostics settings for Virtual Networks, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Traffic Manager to Log Analytics workspace | Deploys the diagnostics settings for Traffic Manager, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Time Series Insights to Log Analytics workspace | Deploys the diagnostics settings for Time Series Insight, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostics settings for Stream Analytics, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for SQL Managed Instance to Log Analytics workspace | Deploys the diagnostics settings for SQL Managed Instances, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for SQL Elastic Pools to Log Analytics workspace | Deploys the diagnostics settings for SQL Elastic Pools, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for SQL Databases to Log Analytics workspace | Deploys the diagnostics settings for SQL Databases, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for SignalR to Log Analytics workspace | Deploys the diagnostics settings for SignalR, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Service Bus Namespaces to Log Analytics workspace | Deploys the diagnostics settings for Service Bus namespaces, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Search Services to Log Analytics workspace | Deploys the diagnostics settings for Search Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Relay to Log Analytics workspace | Deploys the diagnostics settings for SQL Relay, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Redis Cache to Log Analytics workspace | Deploys the diagnostics settings for Redis Cache, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Power BI Embedded to Log Analytics workspace | Deploys the diagnostics settings for Power BI Embedded, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Database for MySql to Log Analytics workspace | Deploys the diagnostics settings for Database for MySql, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Database for PostgreSQL to Log Analytics workspace | Deploys the diagnostics settings for Database for PostgreSQL, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for MariaDb to Log Analytics workspace | Deploys the diagnostics settings for Database for MariaDb, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Network Interface to Log Analytics workspace | Deploys the diagnostics settings for Power Network Interface, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Network Security Groups to Log Analytics workspace | Deploys the diagnostics settings for Network Security Groups, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Machine Learning to Log Analytics workspace | Deploys the diagnostics settings for Machine Learning, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Recovery Services to Log Analytics workspace | Deploys the diagnostics settings for Recovery Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Network Security Groups to Log Analytics workspace | Deploys the diagnostics settings for Network Security Groups, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Azure Media Services to Log Analytics workspace | Deploys the diagnostics settings for Azure Media Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Logic Apps workflow to Log Analytics workspace | Deploys the diagnostics settings for Logic Apps workflows, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Logic Apps integration service environment to Log Analytics workspace | Deploys the diagnostics settings for Logic Apps integration service environment, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Load Balancer to Log Analytics workspace | Deploys the diagnostics settings for Load Balancers, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Key Vault to Log Analytics workspace | Deploys the diagnostics settings for Key Vaults, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for IoT Hub to Log Analytics workspace | Deploys the diagnostics settings for IoT Hubs, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for HDInsight to Log Analytics workspace | Deploys the diagnostics settings for HDInsights, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Azure Functions to Log Analytics workspace | Deploys the diagnostics settings for Azure Functions, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Front Door to Log Analytics workspace | Deploys the diagnostics settings for Front Door, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Firewall to Log Analytics workspace | Deploys the diagnostics settings for Firewalls, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for ExpressRoute to Log Analytics workspace | Deploys the diagnostics settings for ExpressRoute, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Event Hub to Log Analytics workspace | Deploys the diagnostics settings for Event Hubs, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Event Grid Topic to Log Analytics workspace | Deploys the diagnostics settings for Event Grid Topics, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Event Grid Subscriptions to Log Analytics workspace | Deploys the diagnostics settings for Event Grid Subscriptions, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Event Grid System Topic to Log Analytics workspace | Deploys the diagnostics settings for Event Grid System Topics, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Data Lake to Log Analytics workspace | Deploys the diagnostics settings for Data Lake, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Azure Data Lake store to Log Analytics workspace | Deploys the diagnostics settings for Azure Data Lake store, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Data Factory to Log Analytics workspace | Deploys the diagnostics settings for Data Factory, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Azure Data Explorer Cluster to Log Analytics workspace | Deploys the diagnostics settings for Azure Data Explorer Cluster, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Databricks store to Log Analytics workspace | Deploys the diagnostics settings for Databricks, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Cosmos DB to Log Analytics workspace | Deploys the diagnostics settings for CosmosDB, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Cognitive Services to Log Analytics workspace | Deploys the diagnostics settings for Cognitive Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for CDN Endpoint to Log Analytics workspace | Deploys the diagnostics settings for CDN Endpoints, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Batch to Log Analytics workspace | Deploys the diagnostics settings for Batch, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Application Gateway to Log Analytics workspace | Deploys the diagnostics settings for Application Gateways, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for API Management to Log Analytics workspace | Deploys the diagnostics settings for API Management, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Azure API for FHIR to Log Analytics workspace | Deploys the diagnostics settings for Azure API for FHIR, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Analysis Services for FHIR to Log Analytics workspace | Deploys the diagnostics settings for Analysis Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Kubernetes Service to Log Analytics workspace | Deploys the diagnostics settings for Kubernetes Services, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Container Registry to Log Analytics workspace | Deploys the diagnostics settings for Container Registries, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Container Instance to Log Analytics workspace | Deploys the diagnostics settings for Container Instances, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploy Diagnostics settings for Automation to Log Analytics workspace | Deploys the diagnostics settings for Automation Accounts, and connects to a Log Analytics workspace | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Monitoring |
| Deploys virtual network peering to hub | Deploys a virtual network with an address space, and optionally custom DNS, and will peer to the connectivity hub in the specified region | deployIfNotExist, disabled | 1.0.0 | Custom policy | Yes, recommended, in Adventure Works | Directly on the subscriptions | Network |
| Deploy Azure Firewall Manager policy in a subscription | Deploys the Azure Firewall Manager policy in an Azure subscription | deployIfNotExists, disabled | 1.0.0 | Deprecated | No | N/A | Network |
| Deploy DNS Zone Group for Storage-Table Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Table Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | Network |
| Deploy DNS Zone Group for SQL Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for SQL Private Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | Network |
| Deploy DNS Zone Group for Storage-Queue Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Queue Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | Network |
| Deploy DNS Zone Group for Key Vault Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Key Vault Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | Network |
| Deploy DNS Zone Group for Storage-File Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-File Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | Network |
| Deploy DNS Zone Group for Storage-Blob Private Endpoint | Deploys the configurations of a Private DNS Zone Group by a parameter for Storage-Blob Private Endpoint. Used enforce the configuration to a single Private DNS Zone | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | Network |
| Deploy a user-defined route to a VNET with specific routes | Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Corp and Online Management Group | Network |
| Deploy an Azure DDoS Protection Standard plan | Deploys and creates the DDoS Protection Standard plan into the connectivity subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended, in Adventure Works | Connectivity Management Group | Network |
| Deny vNet peering | Denies creation of vnet peering | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Sandboxes Management Group | Network |
| Deny vNet peering cross subscription | Denies the creation of vnet peering outside of the same subscription | deny, audit, disabled | 1.0.0 | Custom policy | No | Sandboxes Management Group | Network |
| Subnets should have a User Defined Route | Denies the creation of a subnet without having a User-Defined Route | deny, audit, disabled | 1.0.0 | Custom policy | No | | Network |
| Subnets should have a Network Security Group | Denies the creation of a subnet that is not associated with a Network Security Group | deny, audit, disabled | 1.0.0 | Custom policy | No | Landing Zones Management Group | Network |
| RDP access from the Internet should be blocked | Denies any network security rule that allows RDP access from Internet | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group, Identity Management Group | Network |
| Application Gateway should be deployed with WAF enabled | Denies creation of Application Gateways when WAF is not enabled | deny, audit, disabled | 1.0.0 | Custom policy | No | Landing Zones Management Group | Network |
| Deny creation of Public IP Addresses | Denies creation of public IP addresses | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | Network |
| Deny creation of Private DNS | Denies creation of private DNS, and should be used in combination with policies that create centralized private DNS in connectivity subscription | deny, audit, disabled | 1.0.0 | Custom policy | No | Corp Management Group | Network |
| Deploy Azure Security Center Security Contacts | Deploys default security contacts for ASC on the Azure subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for Virtual Machines | Deploys and enable Azure Defender for Virtual Machines on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for Sql on Virtual Machines | Deploys and enable Azure Defender for Sql on Virtual Machines on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for Azure Sql Databases | Deploys and enable Azure Defender for Azure Sql Databases on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for Storage Accounts | Deploys and enable Azure Defender for Sql on Storage Accounts on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for DNS | Deploys and enable Azure Defender for DNS on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for ARM | Deploys and enable Azure Defender for Azure Resource Manager on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for App Services | Deploys and enable Azure Defender for App Services on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for AKV | Deploys and enable Azure Defender for Azure Key Vault on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for AKS | Deploys and enable Azure Defender for Azure Kubernetes on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| Deploy Azure Defender for ACR | Deploys and enable Azure Defender for Azure Container Registries on the subscription to be either set to on (Standard) or free | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Intermediate root Management Group | Security Center |
| SQL managed instances deploy a specific min tls version requirement | Deploy a specific min TLS version requirement and enforce SSL on SQL managed instances | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | SQL |
| Deploy SQL Database vulnerability assessments | Deploys and configures SQL Databases vulnerability assessments to the provided storage account | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | SQL |
| Deploy SQL Database security alert policies configuration | Deploy the security Alert Policies configuration with email admin accounts when it does not exist in current configuration | deployIfNotExists, disabled | 1.0.0 | Custom policy | No | Landing Zone Management Group | SQL |
| SQL server - deploys a specific min TLS version requirement | Deploy a specific min TLS version requirement and enforce SSL on Azure SQL | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | SQL |
| Deploy SQL database auditing settings | Deploy and enable the SQL audit configuration to SQL databases | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | SQL |
| Azure Database for PostgreSQL - deploys a specific min TLS version requirement | Deploys a specific min TLS version requirement and enforce SSL on Azure DB for PostgreSQL | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | SQL |
| Azure Database for MySql server - deploys a specific min TLS version requirement | Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySql Server | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | SQL |
| SQL Managed Instance should have the minimal TLS version set to the highest version | etting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | SQL |
| Azure SQL Database should have the minimal TLS version set to the highest version | Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | SQL |
| Public network access on Azure SQL Database should be disabled | Denies creation of SQL databases using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | SQL |
| Public network access should be disabled for MySql | Denies creation of MySql using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | SQL |
| Public network access should be disabled for PostgreSql | Denies creation of PostgreSql using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | SQL |
| Public network access should be disabled for Maria DB | Denies creation of MariaDb using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | SQL |
| Public network access should be disabled for Cosmos DB | Denies creation of Cosmos DB using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | SQL |
| PostgreSQL database servers enforce SSL connection | Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | SQL |
| MySQL database servers enforce SSL connections | Azure Database for MySql supports connecting your Azure Database for MySql server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | SQL |
| Deploy SQL Database TDE | Deploys SQL Database Transparent Data Encryption setting for Azure SQL databases | deployIfNotExists, disabled | 1.0.0 | Custom Policy | Yes, recommended | Landing Zone Management Group | SQL |
| Azure Storage deploy a specific min TLS version requirement and enforce SSL/HTTPS | Deploy a specific min TLS version requirement and enforce SSL on Azure Storage | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zone Management Group | Storage |
| Storage Account set to minimum TLS and Secure transfer should be enabled | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Landing Zones Management Group | Storage |
| Public network access on Storage Accounts should be disabled | Denies creation of storage accounts using public endpoints | deny, audit, disabled | 1.0.0 | Custom policy | Yes, recommended | Corp Management Group | Storage |
| Deploy Log Analytics workspace | Deploys Log Analytics workspace to an Azure subscription | deployIfNotExists, disabled | 1.0.0 | Custom policy | Yes, recommended | Management, Management Group | Storage |
## ESLZ Custom Policy Set Definitions