Parameters Required

Service Policy Definition Parameter Requirements Audit Only Azure Security Benchmark CIS CCMC L3 ISO 27001 NIST SP 800-171 R2 NIST SP 800-53 R4 HIPAA HITRUST 9.2 New Zealand ISM Parameters Link ID
Backup Azure Recovery Services vaults should use customer-managed keys for encrypting backup data Required No enableDoubleEncryption https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Backup/AzBackupRSVault_CMKEnabled_Audit.json 2e94d99a-8a36-4563-bc77-810d8893b671
Batch Metric alert rules should be configured on Batch accounts Required Yes metricName https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Batch/Batch_AuditMetricAlerts_Audit.json 26ee67a2-f81a-4ba8-b9ce-8550bd5ee1a7
Compute Allowed virtual machine size SKUs Required No listOfAllowedSKUs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/VMSkusAllowed_Deny.json cccc23c7-8427-4f53-ad12-b6a63eb452b3
Compute Managed disks should use a specific set of disk encryption sets for the customer-managed key encryption Required No allowedEncryptionSets https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Compute/ManagedDiskEncryptionSetsAllowed_Deny.json d461a302-a187-421a-89ac-84acdb4edc04
Compute Only approved VM extensions should be installed Required No 7.4 approvedExtensions https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_ApprovedExtensions_Audit.json c0e996f8-39cf-4af9-9f45-83fbde810432
Compute Resource logs in Virtual Machine Scale Sets should be enabled Required Yes LT-4 5.3 1206.09aa2System.23 - 09.aa includeAKSClusters https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json 7c1b1214-f927-48bf-8882-84f0af6588b1
Cosmos DB Azure Cosmos DB allowed locations Required Yes listOfAllowedLocations, policyEffect https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_Locations_Deny.json 0473574d-2d43-4217-aefe-941fcdf7e684
Cosmos DB Azure Cosmos DB throughput should be limited Required No throughputMax https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_MaxThroughput_Deny.json 0b7ef78e-a035-4f23-b9bd-aff122a1b1cf
Data Factory Azure Data Factory linked service resource type should be in allow list Required No allowedLinkedServiceResourceTypes https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Data%20Factory/LinkedService_ResourceType_Audit.json 6809a3d0-d354-42fb-b955-783d207c62a8
General Allowed locations for resource groups Required No ESS-2 listOfAllowedLocations https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/ResourceGroupAllowedLocations_Deny.json e765b5de-1225-4ba3-bd56-1ac6695af988
General Allowed locations Required No ESS-2 listOfAllowedLocations https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/AllowedLocations_Deny.json e56962a6-4747-49cd-b67b-bf8b01975c4c
General Allowed resource types Required No listOfResourceTypesAllowed https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/General/AllowedResourceTypes_Deny.json a08ec900-254a-4555-9bf5-e42af04b5c5c
General Not allowed resource types Required No listOfResourceTypesNotAllowed https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/General/InvalidResourceTypes_Deny.json 6c112d4e-5bc7-47ae-a041-ea2d9dccd749
Key Vault Certificates should be issued by the specified non-integrated certificate authority Required No caCommonName https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Issuers_CustomCAs.json a22f4a40-01d3-4c7d-8071-da157eeff341
Key Vault Certificates should have the specified lifetime action triggers Required No maximumPercentageLife, minimumDaysBeforeExpiry https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_LifetimeAction.json 12ef42cb-9903-4e39-9c26-422d29570417
Key Vault Certificates should not expire within the specified number of days Required No daysToExpire https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_Expiry_ByDays.json f772fb64-8e40-40ad-87bc-7706e1949427
Key Vault Certificates using RSA cryptography should have the specified minimum key size Required No minimumRSAKeySize https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Certificates_RSA_MinimumKeySize.json cee51871-e572-4576-855c-047c820360f0
Key Vault Keys should have more than the specified number of days before expiration Required No minimumDaysBeforeExpiration https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_Expiry_ByDays.json 5ff38825-c5d8-47c5-b70e-069a21955146
Key Vault Keys should have the specified maximum validity period Required No maximumValidityInDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ValidityPeriod.json 49a22571-d204-4c91-a7b6-09b1a586fbc9
Key Vault Keys should not be active for longer than the specified number of days Required No maximumValidityInDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_ActivePeriod.json c26e4b24-cf98-4c67-b48b-5a25c4c69eb9
Key Vault Keys using RSA cryptography should have a specified minimum key size Required No minimumRSAKeySize https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/Keys_RSA_MinimumKeySize.json 82067dbb-e53b-4e06-b631-546d197452d9
Key Vault Secrets should have more than the specified number of days before expiration Required No minimumDaysBeforeExpiration https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_Expiry_ByDays.json b0eb591a-5e70-4534-a8bf-04b9c489584a
Key Vault Secrets should have the specified maximum validity period Required No maximumValidityInDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ValidityPeriod.json 342e8053-e12e-4c44-be01-c3c2f318400f
Key Vault Secrets should not be active for longer than the specified number of days Required No maximumValidityInDays https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Key%20Vault/Secrets_ActivePeriod.json e8d99835-8a06-45ae-a8e0-87a91941ccfe
Kubernetes Kubernetes cluster containers CPU and memory resource limits should not exceed the specified limits Required No excludedNamespaces, namespaces, labelSelector, cpuLimit, memoryLimit https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json e345eecc-fa47-480f-9e88-67dcc122b164
Kubernetes Kubernetes cluster containers should not share host process ID or host IPC namespace Required No PV-2 excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json 47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8
Kubernetes Kubernetes cluster containers should not use forbidden sysctl interfaces Required No excludedNamespaces, namespaces, labelSelector, forbiddenSysctls https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ForbiddenSysctlInterfaces.json 56d0a13f-712f-466b-8416-56fb354fb823
Kubernetes Kubernetes cluster containers should only listen on allowed ports Required No excludedNamespaces, namespaces, labelSelector, allowedContainerPortsList https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPorts.json 440b515e-a580-421e-abeb-b159a61ddcbc
Kubernetes Kubernetes cluster containers should only use allowed AppArmor profiles Required No PV-2 excludedNamespaces, namespaces, labelSelector, allowedProfiles https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json 511f5417-5d12-434d-ab2e-816901e72a5e
Kubernetes Kubernetes cluster containers should only use allowed ProcMountType Required No excludedNamespaces, namespaces, labelSelector, procMountType https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedProcMountType.json f85eb0dd-92ee-40e9-8a76-db25a507d6d3
Kubernetes Kubernetes cluster containers should only use allowed capabilities Required No PV-2 excludedNamespaces, namespaces, labelSelector, allowedCapabilities, requiredDropCapabilities https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json c26596ff-4d70-4e6a-9a30-c2506bd2f80c
Kubernetes Kubernetes cluster containers should only use allowed images Required No excludedNamespaces, namespaces, labelSelector, allowedContainerImagesRegex https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json febd0533-8e55-448f-b837-bd0e06f16469
Kubernetes Kubernetes cluster containers should only use allowed seccomp profiles Required No excludedNamespaces, namespaces, labelSelector, allowedProfiles https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedSeccompProfile.json 975ce327-682c-4f2e-aa46-b9598289b86c
Kubernetes Kubernetes cluster containers should run with a read only root file system Required No PV-2 excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json df49d893-a74c-421d-bc95-c663042e5b80
Kubernetes Kubernetes cluster pod FlexVolume volumes should only use allowed drivers Required No excludedNamespaces, namespaces, labelSelector, allowedFlexVolumeDrivers https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/FlexVolumeDrivers.json f4a8fce0-2dd5-4c21-9a36-8f0ec809d663
Kubernetes Kubernetes cluster pod hostPath volumes should only use allowed host paths Required No PV-2 excludedNamespaces, namespaces, labelSelector, allowedHostPaths https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json 098fc59e-46c7-4d99-9b16-64990e543d75
Kubernetes Kubernetes cluster pods and containers should only run with approved user and group IDs Required No PV-2 excludedNamespaces, namespaces, labelSelector, runAsUserRule, runAsUserRanges, runAsGroupRule, runAsGroupRanges, supplementalGroupsRule, supplementalGroupsRanges, fsGroupRule, fsGroupRanges https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json f06ddb64-5fa3-4b77-b166-acb36f7f6042
Kubernetes Kubernetes cluster pods and containers should only use allowed SELinux options Required No excludedNamespaces, namespaces, labelSelector, allowedSELinuxOptions https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/SELinux.json e1e6c427-07d9-46ab-9689-bfa85431e636
Kubernetes Kubernetes cluster pods should only use allowed volume types Required No excludedNamespaces, namespaces, labelSelector, allowedVolumeTypes https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedVolumeTypes.json 16697877-1118-4fb1-9b65-9898ec2509ec
Kubernetes Kubernetes cluster pods should only use approved host network and port range Required No PV-2 excludedNamespaces, namespaces, labelSelector, allowHostNetwork, minPort, maxPort https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json 82985f06-dc18-4a48-bc1c-b9f4f0098cfe
Kubernetes Kubernetes cluster pods should use specified labels Required No excludedNamespaces, namespaces, labelSelector, labelsList https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/PodEnforceLabels.json 46592696-4c7b-4bf3-9e45-6c2763bdc0a6
Kubernetes Kubernetes cluster services should listen only on allowed ports Required No excludedNamespaces, namespaces, labelSelector, allowedServicePortsList https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json 233a2a17-77ca-4fb1-9b6b-69223d272a44
Kubernetes Kubernetes cluster services should only use allowed external IPs Required No excludedNamespaces, namespaces, labelSelector, allowedExternalIPs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/AllowedExternalIPs.json d46c275d-1680-448d-b2ec-e495a3b6cc89
Kubernetes Kubernetes cluster should not allow privileged containers Required No excludedNamespaces, namespaces, labelSelector, excludedContainers https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json 95edb821-ddaf-4404-9732-666045e056b4
Kubernetes Kubernetes clusters should be accessible only over HTTPS Required No DP-4 excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json 1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d
Kubernetes Kubernetes clusters should disable automounting API credentials Required No excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/BlockAutomountToken.json 423dd1ba-798e-40e4-9c4d-b6902674b423
Kubernetes Kubernetes clusters should not allow container privilege escalation Required No PV-2 excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json 1c6e92c9-99f0-4e55-9cf2-0c234dc48f99
Kubernetes Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities Required No excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedSysAdminCapability.json d2e7ea85-6b44-4317-a0be-1b951587f626
Kubernetes Kubernetes clusters should not use specific security capabilities Required No excludedNamespaces, namespaces, labelSelector, disallowedCapabilities https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/ContainerDisallowedCapabilities.json a27c700f-8a22-44ec-961c-41625264370b
Kubernetes Kubernetes clusters should not use the default namespace Required No excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/BlockDefaultNamespace.json 9f061a12-e40d-4183-a00e-171812443373
Kubernetes Kubernetes clusters should use internal load balancers Required No excludedNamespaces, namespaces, labelSelector https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Kubernetes/LoadbalancerNoPublicIPs.json 3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e
Lighthouse Allow managing tenant ids to onboard through Azure Lighthouse Required No listOfAllowedTenants https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Lighthouse/AllowCertainManagingTenantIds_Deny.json 7a8a51a3-ad87-4def-96f3-65a1839242b6
Machine Learning Configure allowed Python packages for specified Azure Machine Learning computes Required No computeNames, computeType, isIsolatedNetwork, allowedPythonPackageChannels https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedPythonPackageChannels_EnforceSetting.json 77eeea86-7e81-4a7d-9067-de844d096752
Machine Learning Configure allowed module authors for specified Azure Machine Learning computes Required No computeNames, computeType, isIsolatedNetwork, allowedModuleAuthors https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedModuleAuthors_EnforceSetting.json 53c70b02-63dd-11ea-bc55-0242ac130003
Machine Learning Configure allowed registries for specified Azure Machine Learning computes Required No computeNames, computeType, isIsolatedNetwork, allowedACRs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedACRs_EnforceSetting.json 5853517a-63de-11ea-bc55-0242ac130003
Machine Learning Configure an approval endpoint called prior to jobs running for specified Azure Machine Learning computes Required No computeNames, computeType, isIsolatedNetwork, approvalEndpoint https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/ApprovalEndpoint_EnforceSetting.json 3948394e-63de-11ea-bc55-0242ac130003
Machine Learning Configure code signing for training code for specified Azure Machine Learning computes Required No computeNames, computeType, isIsolatedNetwork, signingKey https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedSigningKey_EnforceSetting.json 6a6f7384-63de-11ea-bc55-0242ac130003
Machine Learning Configure log filter expressions and datastore to be used for full logs for specified Azure Machine Learning computes Required No computeNames, computeType, isIsolatedNetwork, logFilters, datastore https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Machine%20Learning/AllowedLogFilter_EnforceSetting.json 1d413020-63de-11ea-bc55-0242ac130003
Media Services Azure Media Services content key policies should use token authentication Required No openIdConnectDiscoveryDocument, issuer, audience https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/ContentKeyPolicies_RequireTokenAuth_Audit.json daccf7e4-9808-470c-a848-1c5b582a1afb
Media Services Azure Media Services jobs with HTTPS inputs should limit input URIs to permitted URI patterns Required No allowedJobInputHttpUriPatterns https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Media%20Services/Jobs_RestrictHttpInputs.json e9914afe-31cd-4b8a-92fa-c887f847d477
Monitoring An activity log alert should exist for specific Administrative operations Required Yes 5.2.9 1271.09ad1System.1 - 09.ad operationName https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_AdministrativeOperations_Audit.json b954148f-4c11-4c38-8221-be76711e194a
Monitoring An activity log alert should exist for specific Policy operations Required Yes 5.2.2 operationName https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_PolicyOperations_Audit.json c5447c04-a4d7-4ba8-a263-c9ee321a6858
Monitoring An activity log alert should exist for specific Security operations Required Yes 5.2.8 operationName https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_SecurityOperations_Audit.json 3b980d31-7904-4bb7-8575-5665739a8052
Monitoring Audit diagnostic setting Required Yes A.12.4.4 3.3.4 AU-12 1210.09aa3System.3 - 09.aa DM-6 listOfResourceTypes https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json 7f89b1eb-583c-429a-8828-af049802c1d9
Monitoring Dependency agent should be enabled for listed virtual machine images Required Yes listOfImageIdToInclude_windows, listOfImageIdToInclude_linux https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_Audit.json 11ac78e3-31bc-4f0c-8434-37ab963cea07
Monitoring Dependency agent should be enabled in virtual machine scale sets for listed virtual machine images Required Yes listOfImageIdToInclude_windows, listOfImageIdToInclude_linux https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/DependencyAgent_OSImage_VMSS_Audit.json e2dd799a-a932-4e9d-ac17-d473bc3c6c10
Monitoring Log Analytics Agent should be enabled for listed virtual machine images Required Yes listOfImageIdToInclude_windows, listOfImageIdToInclude_linux https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_Audit.json 32133ab0-ee4b-4b44-98d6-042180979d50
Monitoring Log Analytics agent should be enabled in virtual machine scale sets for listed virtual machine images Required Yes listOfImageIdToInclude_windows, listOfImageIdToInclude_linux https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_OSImage_VMSS_Audit.json 5c3bc7b8-a64c-4e08-a9cd-7ff0f31e1138
Monitoring Virtual machines should be connected to a specified workspace Required Yes logAnalyticsWorkspaceId https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Monitoring/LogAnalytics_WorkspaceMismatch_VM_Audit.json f47b5582-33ec-4c5c-87c0-b010a6b2e917
Network A custom IPsec/IKE policy must be applied to all Azure virtual network gateway connections Required Yes IPsecEncryption, IPsecIntegrity, IKEEncryption, IKEIntegrity, DHGroup, PFSGroup https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VPNGateways_CustomIpSecPolicies_Audit.json 50b83b09-03da-41c1-b656-c293c914862b
Network Network Watcher should be enabled Required Yes LT-3 6.5 3.14.6 0888.09n2Organizational.6 - 09.n listOfLocations, resourceGroupName https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json b6e2945c-0b7b-40f5-9233-7a5323b5cdc6
Network Virtual machines should be connected to an approved virtual network Required No 0814.01n1Organizational.12 - 01.n virtualNetworkId https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json d416745a-506c-48b6-8ab1-83cb814bcaa3
Network Virtual networks should use specified virtual network gateway Required Yes virtualNetworkGatewayId https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Network/VirtualNetwork_ApprovedVirtualNetworkGateway_AuditIfNotExists.json f1776c76-f58c-4245-a8d0-2b207198dc8b
SQL Virtual network firewall rule on Azure SQL Database should be enabled to allow traffic from the specified subnet Required Yes subnetId https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/SQL/SqlServer_VNetRules_Audit.json 77e8b146-0078-4fb2-b002-e112381199f0
Storage Storage accounts should be limited by allowed SKUs Required No listOfAllowedSKUs https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Storage/AllowedStorageSkus_Audit.json 7433c107-6db4-4ad1-b57a-a76dce0154a1
Synapse Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants Required No allowedTenantIds https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Synapse/Workspace_DataExfiltrationPrevention_Deny.json 3a003702-13d2-4679-941b-937e58c443f0
Tags Require a tag and its value on resource groups Required No tagName, tagValue https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/ResourceGroupRequireTagAndValue_Deny.json 8ce3da23-7156-49e4-b145-24f95f9dcb46
Tags Require a tag and its value on resources Required No tagName, tagValue https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/RequireTagAndValue_Deny.json 1e30110a-5ceb-460c-a204-c1c3969c6d62
Tags Require a tag on resource groups Required No tagName https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/ResourceGroupRequireTag_Deny.json 96670d01-0a4d-4649-9c89-2d3abc0a5025
Tags Require a tag on resources Required No tagName https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions/Tags/RequireTag_Deny.json 871b6d14-10aa-478d-b590-94f262ecfa99