Policy Definitions¶
This section provides a list of policy definitions included in the Mission Enclave Policy starter implementation.
Intermedite Root Management Group¶
| Policy Name | Description | Policy Type | Initiative | Parameter |
|---|---|---|---|---|
Allowed locations |
This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region. | Policy Definition,Built-in |
General Goverance | {"listOfAllowedLocations":{"value":["eastus","eastus2","westus","westus2"]}} |
Audit lock on Networking Resource Types |
This policy audits if a resource lock 'CanNotDelete' or 'ReadOnly' has been applied to the specified Networking components. | Policy Definition,Built-in |
General Goverance | {"resourceTypes": {"type": "Array", "metadata": {"description": "Azure netowrking resource types to audit for Locks","displayName": "resourceTypes"},"defaultValue": ["microsoft.network/expressroutecircuits", "microsoft.network/expressroutegateways", "microsoft.network/virtualnetworks", "microsoft.network/virtualnetworkgateways", "microsoft.network/vpngateways", "microsoft.network/p2svpngateways"]}} |
Allowed virtual machine size SKUs |
This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy. | Policy Definition,Built-in |
General Goverance | {"listOfAllowedSKUs":{"value":["Standard_DS1_v2","Standard_DS2_v2","Standard_DS3_v2","Standard_DS4_v2","Standard_DS5_v2","Standard_DS11_v2","Standard_DS12_v2","Standard_DS13_v2","Standard_DS14_v2","Standard_DS15_v2"]}} |
Deploy Microsoft Defender for Cloud Security Contacts |
This policy deploys Microsoft Defender for Cloud Security Contacts. | Policy Definition,Custom |
Security Goverance | "emailSecurityContact": {"type": "string","metadata": {"description": "Provide email address for Azure Security Center contact details","displayName": "Security contacts email address"},"defaultValue": "anoa@contoso.com"}, |
Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data |
Enable export to Log Analytics workspace of Microsoft Defender for Cloud data. This policy deploys an export to Log Analytics workspace configuration with your conditions and target workspace on the assigned scope. To deploy this policy on newly created subscriptions, open the Compliance tab, select the relevant non-compliant assignment and create a remediation task. | Policy Definition,Custom |
Security Governance | |
Audit Public Network Access |
This policy set audits Azure resources that allow access from the public internet. | Policy Definition Set, Built-in |
Audit Public Network Access | |
Configure Microsoft Defender for Cloud plans |
This policy set deploys Microsoft Defender for Cloud provides comprehensive, cloud-native protections from development to runtime in multi-cloud environments. Use the policy initiative to configure Defender for Cloud plans and extensions to be enabled on selected scope(s). | Policy Definition Set, Built-in |
Configure Microsoft Defender for Cloud plans | |
Deploy Diagnostic Settings for Subscriptions to a Log Analytics workspace |
Deploys the diagnostic settings for Subscriptions to stream to a Log Analytics workspace when any Subscription which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace |
Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace |
Deploys the diagnostic settings for SQL Managed Instances to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for Public IPs to a Log Analytics workspace |
Deploys the diagnostic settings for Azure Public IPs to stream to a regional Log Analytics workspace when any Azure Public IPs which is missing this diagnostic settings is created or updated. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace |
Deploys the diagnostic settings for Azure Network Interfaces to stream to a regional Log Analytics workspace when any Azure Network Interfaces which is missing this diagnostic settings is created or updated. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace |
Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for Firewall to Log Analytics workspace |
Deploys the diagnostic settings for Azure Firewall to stream to a regional Log Analytics workspace when any Azure Firewall which is missing this diagnostic settings is created or updated. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace |
Deploys the diagnostic settings for Azure Bastion to stream to a regional Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace |
Deploys the diagnostic settings for Azure Virtual Network to stream to a regional Log Analytics workspace when any Azure Virtual Network which is missing this diagnostic settings is created or updated. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace |
Deploys the diagnostic settings for Azure App Service Plan to stream to a regional Log Analytics workspace when any Azure App Service Plan which is missing this diagnostic settings is created or updated. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Diagnostic Settings for App Service to Log Analytics workspace |
Deploys the diagnostic settings for Azure App Service to stream to a regional Log Analytics workspace when any Azure App Service which is missing this diagnostic settings is created or updated. | Policy Definition,Custom |
Monitoring Goverance | |
Deploy Activity Log Key Vault Delete Alert |
Policy to Deploy Activity Log Key Vault Delete Alert. | Policy Definition,Custom |
Monitoring Goverance | |
DenyAction implementation on Activity Logs |
This is a DenyAction implementation policy on Activity Logs.. | Policy Definition,Custom |
Monitoring Goverance | |
DenyAction implementation on Diagnostic Logs. |
DenyAction implementation on Diagnostic Logs. | Policy Definition,Custom |
Monitoring Goverance | |
Azure Active Directory should use private link to access Azure services |
Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure AD, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365).. | Policy Definition,Built-in |
Identity and Access Management Governance | |
A maximum of 3 owners should be designated for your subscription |
It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.. | Policy Definition,Built-in |
Identity and Access Management Governance | |
Blocked accounts with owner permissions on Azure resources should be removed |
Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in.. | Policy Definition,Built-in |
Identity and Access Management Governance | |
Audit usage of custom RBAC roles |
Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling. | Policy Definition,Built-in |
Identity and Access Management Governance | |
Accounts with owner permissions on Azure resources should be MFA enabled |
Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. | Policy Definition,Built-in |
Identity and Access Management Governance | |
Deploy SQL Database security Alert Policies configuration with email admin accounts |
Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration. | Policy Definition,Built-in |
SQL Security Governance | |
Deploy SQL database auditing settings |
Deploy auditing settings to SQL Database when it not exist in the deployment. | Policy Definition,Built-in |
SQL Security Governance | |
SQL servers deploys a specific min TLS version requirement |
Deploys a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. | Policy Definition,Built-in |
SQL Security Governance | |
Deploy SQL Database Vulnerability Assessments |
Deploy SQL Database Vulnerability Assessments when it does not exist in the deployment, and save results to the storage account specified in the parameters. | Policy Definition,Built-in |
SQL Security Governance | |
Deploy SQL DB transparent data encryption |
Enables transparent data encryption on SQL databases. | Policy Definition,Built-in |
SQL Security Governance | |
Configure Azure Defender to be enabled on SQL servers |
Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | Policy Definition,Built-in |
SQL Security Governance | |
Deploy Advanced Data Security on SQL servers |
This policy enables Advanced Data Security on SQL Servers. This includes turning on Threat Detection and Vulnerability Assessment. It will automatically create a storage account in the same region and resource group as the SQL server to store scan results, with a 'sqlva' prefix. | Policy Definition,Built-in |
SQL Security Governance | |
An Azure Active Directory administrator should be provisioned for SQL servers |
Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services. | Policy Definition,Built-in |
SQL Security Governance |
Platforms Management Group¶
| Policy Name | Description | Policy Type | Initiative | Parameter |
|---|---|---|---|---|
Key vaults should have soft delete enabled |
This policy requires that all Key Vaults should have soft delete enabled. | Policy Definition,Built-in |
Key Vault Governance | |
Key vaults should have deletion protection enabled |
This policy requires that all Key Vaults should have deletion protection enabled. | Policy Definition,Built-in |
Key Vault Governance | |
Key Vault secrets should have an expiration date |
This policy requires that all Key Vault secrets should have an expiration date. | Policy Definition,Built-in |
Key Vault Governance | |
Key Vault keys should have an expiration date |
This policy requires that all Key Vault keys should have an expiration date. | Policy Definition,Built-in |
Key Vault Governance | |
Azure Key Vault should have firewall enabled |
This policy requires that all Key Vaults should have firewall enabled. | Policy Definition,Built-in |
Key Vault Governance | |
Keys should have more than the specified number of days before expiration |
This policy requires that all keys should have more than the specified number of days before expiration. | Policy Definition,Built-in |
Key Vault Governance | |
Secrets should have more than the specified number of days before expiration |
This policy requires that all secrets should have more than the specified number of days before expiration. | Policy Definition,Built-in |
Key Vault Governance | |
Azure Key Vaults should use private link |
This policy requires that all Key Vaults should use private link. | Policy Definition,Built-in |
Key Vault Governance | |
Storage accounts should use private link |
This policy requires that all Storage Accounts should use private link. | Policy Definition,Built-in |
Storage Account Governance | |
Storage accounts should have the specified minimum TLS version |
This policy requires that all Storage Accounts should have the specified minimum TLS version. | Policy Definition,Built-in |
Storage Account Governance | |
Storage accounts should allow access from trusted Microsoft services |
This policy requires that all Storage Accounts should allow access from trusted Microsoft services. | Policy Definition,Built-in |
Storage Account Governance | |
Storage accounts should disable public network access |
This policy requires that all Storage Accounts should disable public network access. | Policy Definition,Built-in |
Storage Account Governance | |
Storage accounts should prevent cross tenant object replication |
This policy requires that all Storage Accounts should prevent cross tenant object replication. | Policy Definition,Built-in |
Storage Account Governance | |
Configure secure transfer of data on a storage account |
This policy requires that all Storage Accounts should have secure transfer of data enabled. | Policy Definition,Built-in |
Storage Account Governance | |
Geo-redundant storage should be enabled for Storage Accounts |
This policy requires that all Storage Accounts should have geo-redundant storage enabled. | Policy Definition,Built-in |
Storage Account Governance |
Operations Management Group¶
| Policy Name | Description | Policy Type | Initiative | Parameter |
|---|---|---|---|---|
Deny the creation of public IP |
This policy denies creation of Public IPs under the assigned scope. | Policy Definition,Built-in |
Network Governance | |
Management port access from the Internet should be blocked |
This policy denies any network security rule that allows management port access from the Internet. | Policy Definition,Custom |
Network Governance | |
Deny Azure Bastion Hosts resource creation |
This policy denies the creation of Azure Bastion Hosts under the assigned scope. | Policy Definition,Custom |
Network Governance | |
RDP access from the Internet should be blocked |
This policy denies any network security rule that allows RDP access from the Internet. | Policy Definition,Custom |
Network Governance | |
Require NSG on VNET |
This policy requires that a Network Security Group (NSG) is associated with a Virtual Network. | Policy Definition,Custom |
Network Governance | |
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall. |
This policy requires that all Internet traffic should be routed via your deployed Azure Firewall. | Policy Definition,Built-in |
Network Governance | |
Subscription should configure the Azure Firewall Premium to provide additional layer of protection. |
Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium. | Policy Definition,Built-in |
Network Governance | |
Configure virtual network to enable Flow Log and Traffic Analytics |
This policy requires that all virtual networks should have Flow Log and Traffic Analytics enabled. | Policy Definition,Built-in |
Network Governance | |
Configure network security groups to enable traffic analytics |
Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Policy Definition,Built-in |
Network Governance | |
Network Watcher flow logs should have traffic analytics enabled |
This policy requires that all Network Watcher flow logs should have traffic analytics enabled. | Policy Definition,Built-in |
Network Governance | |
Flow logs should be configured for every network security group |
This policy requires that all network security groups should have flow logs enabled. | Policy Definition,Built-in |
Network Governance | |
Azure DDoS Protection should be enabled |
This policy requires that Azure DDoS Protection should be enabled for virtual networks. | Policy Definition,Built-in |
Network Governance | |
Network interfaces should not have public IPs |
This policy denies the creation of public IP addresses on network interfaces. | Policy Definition,Built-in |
Network Governance |
Security Management Group¶
| Policy Name | Description | Policy Type | Initiative | Parameter |
|---|---|---|---|---|
Deny the creation of public IP |
This policy denies creation of Public IPs under the assigned scope. | Policy Definition,Built-in |
Network Governance | |
Management port access from the Internet should be blocked |
This policy denies any network security rule that allows management port access from the Internet. | Policy Definition,Custom |
Network Governance | |
Deny Azure Bastion Hosts resource creation |
This policy denies the creation of Azure Bastion Hosts under the assigned scope. | Policy Definition,Custom |
Network Governance | |
RDP access from the Internet should be blocked |
This policy denies any network security rule that allows RDP access from the Internet. | Policy Definition,Custom |
Network Governance | |
Require NSG on VNET |
This policy requires that a Network Security Group (NSG) is associated with a Virtual Network. | Policy Definition,Custom |
Network Governance | |
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall. |
This policy requires that all Internet traffic should be routed via your deployed Azure Firewall. | Policy Definition,Built-in |
Network Governance | |
Subscription should configure the Azure Firewall Premium to provide additional layer of protection. |
Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium. | Policy Definition,Built-in |
Network Governance | |
Configure virtual network to enable Flow Log and Traffic Analytics |
This policy requires that all virtual networks should have Flow Log and Traffic Analytics enabled. | Policy Definition,Built-in |
Network Governance | |
Configure network security groups to enable traffic analytics |
Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Policy Definition,Built-in |
Network Governance | |
Network Watcher flow logs should have traffic analytics enabled |
This policy requires that all Network Watcher flow logs should have traffic analytics enabled. | Policy Definition,Built-in |
Network Governance | |
Flow logs should be configured for every network security group |
This policy requires that all network security groups should have flow logs enabled. | Policy Definition,Built-in |
Network Governance | |
Azure DDoS Protection should be enabled |
This policy requires that Azure DDoS Protection should be enabled for virtual networks. | Policy Definition,Built-in |
Network Governance | |
Network interfaces should not have public IPs |
This policy denies the creation of public IP addresses on network interfaces. | Policy Definition,Built-in |
Network Governance |
Identity Management Group¶
| Policy Name | Description | Policy Type | Initiative | Parameter |
|---|---|---|---|---|
Deny the creation of public IP |
This policy denies creation of Public IPs under the assigned scope. | Policy Definition,Built-in |
Network Governance | |
Management port access from the Internet should be blocked |
This policy denies any network security rule that allows management port access from the Internet. | Policy Definition,Custom |
Network Governance | |
Deny Azure Bastion Hosts resource creation |
This policy denies the creation of Azure Bastion Hosts under the assigned scope. | Policy Definition,Custom |
Network Governance | |
RDP access from the Internet should be blocked |
This policy denies any network security rule that allows RDP access from the Internet. | Policy Definition,Custom |
Network Governance | |
Require NSG on VNET |
This policy requires that a Network Security Group (NSG) is associated with a Virtual Network. | Policy Definition,Custom |
Network Governance | |
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall. |
This policy requires that all Internet traffic should be routed via your deployed Azure Firewall. | Policy Definition,Built-in |
Network Governance | |
Subscription should configure the Azure Firewall Premium to provide additional layer of protection. |
Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium. | Policy Definition,Built-in |
Network Governance | |
Configure virtual network to enable Flow Log and Traffic Analytics |
This policy requires that all virtual networks should have Flow Log and Traffic Analytics enabled. | Policy Definition,Built-in |
Network Governance | |
Configure network security groups to enable traffic analytics |
Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Policy Definition,Built-in |
Network Governance | |
Network Watcher flow logs should have traffic analytics enabled |
This policy requires that all Network Watcher flow logs should have traffic analytics enabled. | Policy Definition,Custom |
Network Governance | |
Flow logs should be configured for every network security group |
This policy requires that all network security groups should have flow logs enabled. | Policy Definition,Built-in |
Network Governance | |
Azure DDoS Protection should be enabled |
This policy requires that Azure DDoS Protection should be enabled for virtual networks. | Policy Definition,Built-in |
Network Governance | |
Network interfaces should not have public IPs |
This policy denies the creation of public IP addresses on network interfaces. | Policy Definition,Built-in |
Network Governance |
DevSecOps Management Group¶
| Policy Name | Description | Policy Type | Initiative | Parameter |
|---|---|---|---|---|
Deny the creation of public IP |
This policy denies creation of Public IPs under the assigned scope. | Policy Definition,Built-in |
Network Governance | |
Management port access from the Internet should be blocked |
This policy denies any network security rule that allows management port access from the Internet. | Policy Definition,Custom |
Network Governance | |
Deny Azure Bastion Hosts resource creation |
This policy denies the creation of Azure Bastion Hosts under the assigned scope. | Policy Definition,Custom |
Network Governance | |
RDP access from the Internet should be blocked |
This policy denies any network security rule that allows RDP access from the Internet. | Policy Definition,Custom |
Network Governance | |
Require NSG on VNET |
This policy requires that a Network Security Group (NSG) is associated with a Virtual Network. | Policy Definition,Custom |
Network Governance | |
[Preview]: All Internet traffic should be routed via your deployed Azure Firewall. |
This policy requires that all Internet traffic should be routed via your deployed Azure Firewall. | Policy Definition,Built-in |
Network Governance | |
Subscription should configure the Azure Firewall Premium to provide additional layer of protection. |
Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments. Deploy Azure Firewall Premium to your subscription and make sure all the service traffic are protected by Azure Firewall Premium. To learn more about Azure Firewall Premium, visit https://aka.ms/fw-premium. | Policy Definition,Built-in |
Network Governance | |
Configure virtual network to enable Flow Log and Traffic Analytics |
This policy requires that all virtual networks should have Flow Log and Traffic Analytics enabled. | Policy Definition,Built-in |
Network Governance | |
Configure network security groups to enable traffic analytics |
Traffic analytics can be enabled for all network security groups hosted in a particular region with the settings provided during policy creation. If it already has Traffic analytics enabled, then policy does not overwrite its settings. Flow Logs are also enabled for the Network security groups that do not have it. Traffic analytics is a cloud-based solution that provides visibility into user and application activity in cloud networks. | Policy Definition,Built-in |
Network Governance | |
Network Watcher flow logs should have traffic analytics enabled |
This policy requires that all Network Watcher flow logs should have traffic analytics enabled. | Policy Definition,Built-in |
Network Governance | |
Flow logs should be configured for every network security group |
This policy requires that all network security groups should have flow logs enabled. | Policy Definition,Built-in |
Network Governance | |
Azure DDoS Protection should be enabled |
This policy requires that Azure DDoS Protection should be enabled for virtual networks. | Policy Definition,Built-in |
Network Governance | |
Network interfaces should not have public IPs |
This policy denies the creation of public IP addresses on network interfaces. | Policy Definition,Built-in |
Network Governance |
Workloads Management Group¶
| Policy Name | Description | Policy Type | Initiative | Parameter |
|---|---|---|---|---|