Azure Policy built-in definitions for Azure Resource Manager

This page is an index of Azure Policy built-in policy definitions for Azure Resource Manager. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure Resource Manager

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
A maximum of 3 owners should be designated for your subscription It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. AuditIfNotExists, Disabled 2.0.0
A security contact email address should be provided for your subscription Enter an email address to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0
A security contact phone number should be provided for your subscription Enter a phone number to receive notifications when Azure Security Center detects compromised resources AuditIfNotExists, Disabled 1.0.0
Activity log should be retained for at least one year This policy audits the activity log if the retention is not set for 365 days or forever (retention days set to 0). AuditIfNotExists, Disabled 1.0.0
Add a tag to resource groups Adds the specified tag and value when any resource group missing this tag is created or updated. Existing resource groups can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed. modify 1.0.0
Add or replace a tag on resource groups Adds or replaces the specified tag and value when any resource group is created or updated. Existing resource groups can be remediated by triggering a remediation task. modify 1.0.0
Advanced data security should be enabled on Azure SQL Database servers Advanced data security provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate a threat on SQL database and discovering and classifying sensitive data. AuditIfNotExists, Disabled 1.0.1
Advanced threat protection should be enabled on Virtual Machines Advanced threat protection provides real-time threat protection for virtual machine workloads and generates hardening recommendations as well as alerts about suspicious activities. AuditIfNotExists, Disabled 1.0.2
Allowed locations for resource groups This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements. deny 1.0.0
An activity log alert should exist for specific Administrative operations This policy audits specific Administrative operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
An activity log alert should exist for specific Policy operations This policy audits specific Policy operations with no activity log alerts configured. AuditIfNotExists, Disabled 2.0.0
An activity log alert should exist for specific Security operations This policy audits specific Security operations with no activity log alerts configured. AuditIfNotExists, Disabled 1.0.0
Append a tag and its value to resource groups Appends the specified tag and value when any resource group which is missing this tag is created or updated. Does not modify the tags of resource groups created before this policy was applied until those resource groups are changed. New 'modify' effect policies are available that support remediation of tags on existing resources (see https://aka.ms/modifydoc). append 1.0.0
Audit virtual machines without disaster recovery configured Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc. auditIfNotExists 1.0.0
Automatic provisioning of the Log Analytics monitoring agent should be enabled on your subscription Enable automatic provisioning of the Log Analytics monitoring agent in order to collect security data AuditIfNotExists, Disabled 1.0.0
Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action' This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' AuditIfNotExists, Disabled 1.0.0
Azure Monitor should collect activity logs from all regions This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. AuditIfNotExists, Disabled 1.0.0
Azure Monitor solution 'Security and Audit' must be deployed This policy ensures that Security and Audit is deployed. AuditIfNotExists, Disabled 1.0.0
Azure subscriptions should have a log profile for Activity Log This policy ensures if a log profile is enabled for exporting activity logs. It audits if there is no log profile created to export the logs either to a storage account or to an event hub. AuditIfNotExists, Disabled 1.0.0
Deprecated accounts should be removed from your subscription Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 2.0.0
Deprecated accounts with owner permissions should be removed from your subscription Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. AuditIfNotExists, Disabled 2.0.0
Email notification for high severity alerts should be enabled Enable emailing security alerts to the security contact, in order to have them receive security alert emails from Azure. This ensures that the right people are aware of any potential security issues and are able to mitigate the risks AuditIfNotExists, Disabled 1.0.0
Email notification to subscription owner for high severity alerts should be enabled Enable emailing security alerts to the subscription owner, in order to have them receive security alert emails from Azure. This ensures that they are aware of any potential security issues and can mitigate the risk in a timely fashion AuditIfNotExists, Disabled 1.0.0
Enable Azure Security Center on your subscription Identifies existing subscriptions that are not monitored by Azure Security Center (ASC). Subscriptions not monitored by ASC will be registered to the free pricing tier. Subscriptions already monitored by ASC (free or standard), will be considered compliant. To register newly created subscriptions, open the compliance tab, select the relevant non-compliant assignment and create a remediation task. Repeat this step when you have one or more new subscriptions you want to monitor with Security Center. deployIfNotExists 1.0.0
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace. Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace. DeployIfNotExists, Disabled 1.0.0
Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with default workspace. Allow Security Center to auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using ASC default workspace. DeployIfNotExists, Disabled 1.0.0
External accounts with owner permissions should be removed from your subscription External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 2.0.0
External accounts with read permissions should be removed from your subscription External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 2.0.0
External accounts with write permissions should be removed from your subscription External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. AuditIfNotExists, Disabled 2.0.0
MFA should be enabled accounts with write permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 2.0.0
MFA should be enabled on accounts with owner permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 2.0.0
MFA should be enabled on accounts with read permissions on your subscription Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. AuditIfNotExists, Disabled 2.0.0
Network Watcher should be enabled Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. auditIfNotExists 1.0.0
Require a tag and its value on resource groups Enforces a required tag and its value on resource groups. deny 1.0.0
Require a tag on resource groups Enforces existence of a tag on resource groups. deny 1.0.0
Service principals should be used to protect your subscriptions instead of management certificates Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. AuditIfNotExists, Disabled 1.0.0
There should be more than one owner assigned to your subscription It is recommended to designate more than one subscription owner in order to have administrator access redundancy. AuditIfNotExists, Disabled 2.0.0

Next steps