Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This page is an index of Azure Policy built-in policy definitions for Azure Monitor. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure Monitor
| Name | Description | Effect(s) | Version | GitHub |
|---|---|---|---|---|
| [Preview]: Audit Log Analytics Agent Deployment - VM Image (OS) unlisted | Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | auditIfNotExists | 1.0.0-preview | Link |
| Activity log should be retained for at least one year | This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). | AuditIfNotExists, Disabled | 1.0.0 | Link |
| An activity log alert should exist for specific Administrative operations | This policy audits specific Administrative operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 | Link |
| An activity log alert should exist for specific Policy operations | This policy audits specific Policy operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 | Link |
| An activity log alert should exist for specific Security operations | This policy audits specific Security operations with no activity log alerts configured. | AuditIfNotExists, Disabled | 1.0.0 | Link |
| Audit Dependency agent deployment - VM Image (OS) unlisted | Reports VMs as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | auditIfNotExists | 1.0.1 | Link |
| Audit Dependency agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | auditIfNotExists | 1.0.1 | Link |
| Audit diagnostic setting | Audit diagnostic setting for selected resource types | AuditIfNotExists | 1.0.0 | Link |
| Audit Log Analytics agent deployment in virtual machine scale sets - VM Image (OS) unlisted | Reports virtual machine scale sets as non-compliant if the VM Image (OS) is not in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | auditIfNotExists | 1.0.1 | Link |
| Audit Log Analytics workspace for VM - Report Mismatch | Reports VMs as non-compliant if they aren't logging to the Log Analytics workspace specified in the policy/initiative assignment. | audit | 1.0.1 | Link |
| Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' | This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' | AuditIfNotExists, Disabled | 1.0.0 | Link |
| Azure Monitor should collect activity logs from all regions | This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. | AuditIfNotExists, Disabled | 1.0.0 | Link |
| Azure Monitor solution 'Security and Audit' must be deployed | This policy ensures that Security and Audit is deployed. | AuditIfNotExists, Disabled | 1.0.0 | Link |
| Azure subscriptions should have a log profile for Activity Log | This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. | AuditIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Dependency agent for Linux virtual machine scale sets | Deploy Dependency agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | deployIfNotExists | 1.0.1 | Link |
| Deploy Dependency agent for Linux VMs | Deploy Dependency agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. | deployIfNotExists | 1.0.1 | Link |
| Deploy Dependency agent for Windows virtual machine scale sets | Deploy Dependency agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | deployIfNotExists | 1.0.1 | Link |
| Deploy Dependency agent for Windows VMs | Deploy Dependency agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | deployIfNotExists | 1.0.1 | Link |
| Deploy Diagnostic Settings for Batch Account to Event Hub | Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 | Link |
| Deploy Diagnostic Settings for Batch Account to Log Analytics workspace | Deploys the diagnostic settings for Batch Account to stream to a regional Log Analytics workspace when any Batch Account which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Diagnostic Settings for Data Lake Analytics to Event Hub | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Event Hub when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 | Link |
| Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Analytics to stream to a regional Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Diagnostic Settings for Data Lake Storage Gen1 to Event Hub | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Event Hub when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 | Link |
| Deploy Diagnostic Settings for Data Lake Storage Gen1 to Log Analytics workspace | Deploys the diagnostic settings for Data Lake Storage Gen1 to stream to a regional Log Analytics workspace when any Data Lake Storage Gen1 which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Diagnostic Settings for Event Hub to Event Hub | Deploys the diagnostic settings for Event Hub to stream to a regional Event Hub when any Event Hub which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 | Link |
| Deploy Diagnostic Settings for Event Hub to Log Analytics workspace | Deploys the diagnostic settings for Event Hub to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Diagnostic Settings for Key Vault to Log Analytics workspace | Deploys the diagnostic settings for Key Vault to stream to a regional Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Diagnostic Settings for Logic Apps to Event Hub | Deploys the diagnostic settings for Logic Apps to stream to a regional Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 | Link |
| Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace | Deploys the diagnostic settings for Logic Apps to stream to a regional Log Analytics workspace when any Logic Apps which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Diagnostic Settings for Network Security Groups | This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created. | deployIfNotExists | 1.0.0 | Link |
| Deploy Diagnostic Settings for Search Services to Event Hub | Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 | Link |
| Deploy Diagnostic Settings for Search Services to Log Analytics workspace | Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Diagnostic Settings for Service Bus to Event Hub | Deploys the diagnostic settings for Service Bus to stream to a regional Event Hub when any Service Bus which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 | Link |
| Deploy Diagnostic Settings for Service Bus to Log Analytics workspace | Deploys the diagnostic settings for Service Bus to stream to a regional Log Analytics workspace when any Service Bus which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Diagnostic Settings for Stream Analytics to Event Hub | Deploys the diagnostic settings for Stream Analytics to stream to a regional Event Hub when any Stream Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 2.0.0 | Link |
| Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace | Deploys the diagnostic settings for Stream Analytics to stream to a regional Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. | DeployIfNotExists, Disabled | 1.0.0 | Link |
| Deploy Log Analytics agent for Linux virtual machine scale sets | Deploy Log Analytics agent for Linux virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | deployIfNotExists | 1.0.1 | Link |
| Deploy Log Analytics agent for Linux VMs | Deploy Log Analytics agent for Linux VMs if the VM Image (OS) is in the list defined and the agent is not installed. | deployIfNotExists | 1.0.1 | Link |
| Deploy Log Analytics agent for Windows virtual machine scale sets | Deploy Log Analytics agent for Windows virtual machine scale sets if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | deployIfNotExists | 1.0.1 | Link |
| Deploy Log Analytics agent for Windows VMs | Deploy Log Analytics agent for Windows VMs if the VM Image (OS) is in the list defined and the agent is not installed. The list of OS images will be updated over time as support is updated. | deployIfNotExists | 1.0.1 | Link |
| Network traffic data collection agent should be installed on Linux virtual machines | Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.0-preview | Link |
| Network traffic data collection agent should be installed on Windows virtual machines | Security Center uses the Microsoft Monitoring Dependency Agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. | AuditIfNotExists, Disabled | 1.0.0-preview | Link |
| Storage account containing the container with activity logs must be encrypted with BYOK | This policy audits if the Storage account containing the container with activity logs is encrypted with BYOK. The policy works only if the storage account lies on the same subscription as activity logs by design. More information on Azure Storage encryption at rest can be found here storage encryption keys portal. | AuditIfNotExists, Disabled | 1.0.0 | Link |
| The Log Analytics agent should be installed on Virtual Machine Scale Sets | This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0 | Link |
| The Log Analytics agent should be installed on virtual machines | This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. | AuditIfNotExists, Disabled | 1.0.0 | Link |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.