Azure Policy built-in initiative definitions
This page is an index of Azure Policy built-in initiative definitions.
The name on each built-in links to the initiative definition source on the Azure Policy GitHub repo. The built-ins are grouped by the category property in metadata. To go to a specific category, use Ctrl-F for your browser's search feature.
Cosmos DB
Name | Description | Policies | Version |
---|---|---|---|
Enable Azure Cosmos DB throughput policy | Enable throughput control for Azure Cosmos DB resources in the specified scope (Management group, Subscription or resource group). Takes max throughput as parameter. Use this policy to help enforce throughput control via the resource provider. | 2 | 1.0.0 |
General
Name | Description | Policies | Version |
---|---|---|---|
Allow Usage Cost Resources | Allow resources to be deployed except MCPP, M365. | 2 | 1.0.0 |
Managed Identity
Name | Description | Policies | Version |
---|---|---|---|
[Preview]: Managed Identity Federated Credentials should be of approved types from approved federation sources | Control use of federated credentials for Managed Identities. This initiative incudes policies to block federated identity credentials altogether, to limit use to specific federation provider types, and to limit federation reationships to approved sources. | 3 | 1.0.0-preview |
Monitoring
Name | Description | Policies | Version |
---|---|---|---|
[Preview]: Configure Azure Defender for SQL agents on virtual machines | Configure virtual machines to automatically install the Azure Defender for SQL agents where the Azure Monitor Agent is installed. Security Center collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and Log Analytics workspace in the same region as the machine. This policy only applies to VMs in a few regions. | 2 | 1.0.0-preview |
Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule | Monitor and secure your Linux virtual machines, virtual machine scale sets, and Arc machines by deploying the Azure Monitor Agent extension and associating the machines with a specified Data Collection Rule. Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. | 4 | 3.2.0 |
Configure Windows machines to run Azure Monitor Agent and associate them to a Data Collection Rule | Monitor and secure your Windows virtual machines, virtual machine scale sets, and Arc machines by deploying the Azure Monitor Agent extension and associating the machines with a specified Data Collection Rule. Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. | 4 | 3.2.0 |
Deploy Linux Azure Monitor Agent with user-assigned managed identity-based auth and associate with Data Collection Rule | Monitor your Linux virtual machines and virtual machine scale sets by deploying the Azure Monitor Agent extension with user-assigned managed identity authentication and associating with specified Data Collection Rule. Azure Monitor Agent Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. | 5 | 2.3.0 |
Deploy Windows Azure Monitor Agent with user-assigned managed identity-based auth and associate with Data Collection Rule | Monitor your Windows virtual machines and virtual machine scale sets by deploying the Azure Monitor Agent extension with user-assigned managed identity authentication and associating with specified Data Collection Rule. Azure Monitor Agent Deployment will occur on machines with supported OS images (or machines matching the provided list of images) in supported regions. | 5 | 2.3.0 |
Enable allLogs category group resource logging for supported resources to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to Event Hub for all supported resources. | 140 | 1.0.0 |
Enable allLogs category group resource logging for supported resources to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to an Event Hub for all supported resources | 140 | 1.0.0 |
Enable allLogs category group resource logging for supported resources to storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to storage for all supported resources. | 140 | 1.0.0 |
Enable audit category group resource logging for supported resources to Event Hub | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the audit category group to route logs to Event Hub for all supported resources | 69 | 1.1.0 |
Enable audit category group resource logging for supported resources to Log Analytics | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the audit category group to route logs to Log Analytics for all supported resources. | 69 | 1.1.0 |
Enable audit category group resource logging for supported resources to storage | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the audit category group to route logs to storage for all supported resources. | 69 | 1.1.0 |
Enable Azure Monitor for Hybrid VMs with AMA | Enable Azure Monitor for the hybrid virtual machines with AMA. | 6 | 1.0.0 |
Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) | Enable Azure Monitor for the virtual machines (VMs) with AMA. | 7 | 1.2.0 |
Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) | Enable Azure Monitor for the virtual machines scale set (VMSS) with AMA. | 7 | 1.2.0 |
Legacy - Enable Azure Monitor for Virtual Machine Scale Sets | Legacy - Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Use the new initiative named: Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA). Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances. | 6 | 1.0.2 |
Legacy - Enable Azure Monitor for VMs | Legacy - Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter. Use the new initiative named: Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) | 10 | 2.0.1 |
Network
Name | Description | Policies | Version |
---|---|---|---|
Flow logs should be configured and enabled for every network security group | Audit for network security groups to verify if flow logs are configured and if flow log status is enabled. Enabling flow logs allows to log information about IP traffic flowing through network security group. It can be used for optimizing network flows, monitoring throughput, verifying compliance, detecting intrusions and more. | 2 | 1.0.0 |
Resilience
Name | Description | Policies | Version |
---|---|---|---|
[Preview]: Resources should be Zone Resilient | Some resource types can be deployed Zone Redundant (e.g. SQL Databases); some can be deploy Zone Aligned (e.g. Virtual Machines); and some can be deployed either Zone Aligned or Zone Redundant (e.g. Virtual Machine Scale Sets). Being zone aligned does not guarantee resilience, but it is the foundation on which a resilient solution can be built (e.g. three Virtual Machine Scale Sets zone aligned to three different zones in the same region with a load balancer). See https://docs.azure.cn/reliability/availability-zones-service-support for more info. | 34 | 1.10.0-preview |
SDN
Name | Description | Policies | Version |
---|---|---|---|
Audit Public Network Access | Audit Azure resources that allow access from the public internet | 35 | 4.2.0 |
Evaluate Private Link Usage Across All Supported Azure Resources | Compliant resources have at least one approved private endpoint connection | 30 | 1.1.0 |
Security Center
Name | Description | Policies | Version |
---|---|---|---|
[Preview]: Deploy Microsoft Defender for Endpoint agent | Deploy Microsoft Defender for Endpoint agent on applicable images. | 4 | 1.0.0-preview |
Configure Advanced Threat Protection to be enabled on open-source relational databases | Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://docs.azure.cn/defender-for-cloud/defender-for-databases-introduction. | 5 | 1.2.0 |
Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances | Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | 3 | 3.0.0 |
Configure Microsoft Defender for Cloud plans | Microsoft Defender for Cloud provides comprehensive, cloud-native protections from development to runtime in multi-cloud environments. Use the policy initiative to configure Defender for Cloud plans and extensions to be enabled on selected scope(s). | 11 | 1.0.0 |
Configure Microsoft Defender for Databases to be enabled | Configure Microsoft Defender for Databases to protect your Azure SQL Databases, Managed Instances, Open-source relational databases and Cosmos DB. | 4 | 1.0.0 |
Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a LA workspace | Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule and Log Analytics workspace in the same region as the machine. | 9 | 1.3.0 |
Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace | Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace. | 8 | 1.2.0 |
Microsoft cloud security benchmark | The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud. | 170 | 43.28.0 |
SQL
Name | Description | Policies | Version |
---|---|---|---|
Azure SQL Database should have Microsoft Entra-only authentication | Require Microsoft Entra-only authentication for Azure SQL Database, disabling local authentication methods. This allows access exclusively via Microsoft Entra identities, enhancing security with modern authentication enhancements including MFA, SSO, and secret-less programmatic access with managed identities. | 2 | 1.0.0 |
Azure SQL Managed Instance should have Microsoft Entra-only authentication | Require Microsoft Entra-only authentication for Azure SQL Managed instance, disabling local authentication methods. This allows access exclusively via Microsoft Entra identities, enhancing security with modern authentication enhancements including MFA, SSO, and secret-less programmatic access with managed identities. | 2 | 1.0.0 |
Synapse
Name | Description | Policies | Version |
---|---|---|---|
Configure Synapse Workspaces to mandate Microsoft Entra-only identities for authentication | Require and configure Microsoft Entra-only authentication for Synapse Workspaces, disabling local authentication methods. This allows access exclusively via Microsoft Entra identities, enhancing security with modern authentication enhancements including MFA, SSO, and secret-less programmatic access with managed identities. | 2 | 1.0.0 |
Synapse Workspaces should have Microsoft Entra-only authentication | Require Microsoft Entra-only authentication for Synapse Workspaces, disabling local authentication methods. This allows access exclusively via Microsoft Entra identities, enhancing security with modern authentication enhancements including MFA, SSO, and secret-less programmatic access with managed identities. | 2 | 1.0.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.