Policy-driven governance means the usage of Azure Policy to build and provide guardrails, and to enable autonomy for the platform and application teams, regardless of their scale points. Those guardrails ensure that deployed workloads and applications are compliant with your organization's security and compliance requirements, and therefore a secure path to the public cloud.
Out of the box deployed product has a set of initial policies assigned to a different scopes of hierarchy.
Initially this scope only has policy assignments inherited from Jumpstart root management group.
Initially this scope only has policy assignments inherited from Jumpstart root management group.
Initially this scope only has policy assignments inherited from Jumpstart root management group.
Initially this scope only has policy assignments inherited from the Jumpstart root and [landing zones management group scopes.
Customizations depends on the features or policies desired to be changed. Multiple features uses policies as their deployment result and some policies are deployed by default tight with no feature. All policies can be customized, but in most cases it is advanced approach.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deploy-ASC-Monitoring" | Initiative | Azure Security Benchmark |
| "Deploy-MDFC-Config-H224" | Custom Initiative | Deploy Microsoft Defender for Cloud configuration and Security Contacts. |
| "Deploy-AzActivity-Log" | Policy | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events |
| "Deny-RSG-Locations" | Policy | Specifies the allowed locations (regions) where Resource Groups can be deployed. |
| "Deploy-Diag-LogsCat" | Initiative | Ensures that Azure resources are configured to forward diagnostic logs to an Azure Log Analytics workspace. |
| "Deploy-Storage-Diag" | Custom Initiative | Deploys diagnostic settings (Security Logs) for all Azure Storage services (Blob, File, Queue, Table) to Log Analytics. |
| "Deny-NSG-InboundRule-Any" | Custom Policy | This policy denies creation of NSG inbound rules where the source is '*' or 'Any' to enhance security |
| "Deny-Resource-Locations" | Policy | Specifies the allowed locations (regions) where Resources can be deployed. |
| "ISO-27001-2013" | Initiative | This initiative includes audit and virtual machine extension deployment policies that address a subset of ISO 27001:2013 controls. Additional policies will be added in upcoming releases. For more information, visit https://aka.ms/iso27001-init. |
| "NW-agent-for-windows" | Custom Policy | Deploy Network Watcher agent for Windows virtual machines if the virtual machine image is in the list defined and the agent is not installed. |
| "NW-agent-for-linux" | Custom Policy | Deploy Network Watcher agent for Linux virtual machines if the VM Image (OS) is in the list defined and the agent is not installed. |
| "SQL-Auditing" | Custom Policy | Enable SQL Auditing on server level for PaaS to send logs to Log Analytics Workspace. |
| "Deploy-Update-Lin-Agent " | Custom Policy | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
| " Deploy-Update-Win-Agen" | Custom Policy | Configure auto-assessment (every 24 hours) for OS updates on native Azure virtual machines. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode. |
| Policy Display Name | Description |
|---|---|
| Configure Azure Defender for open-source relational databases to be enabled | Enables Microsoft Defender for open-source relational databases (such as MySQL and PostgreSQL) to provide threat detection and security monitoring. |
| Configure Azure Defender for servers to be enabled | Enables Microsoft Defender for Servers to provide advanced threat protection, EDR, and security monitoring for virtual machines and hybrid servers. |
| Configure machines to receive a vulnerability assessment provider | Ensures machines are configured with a vulnerability assessment solution to scan for security weaknesses. |
| Configure Azure Defender for SQL servers on machines to be enabled | Enables Defender for SQL on machines to provide threat detection and vulnerability assessment for SQL Server instances hosted on VMs or Arc-enabled servers. |
| Configure Azure Defender for App Service to be enabled | Enables Microsoft Defender for App Service to detect threats and vulnerabilities in web apps and APIs. |
| Configure Microsoft Defender for Storage to be enabled | Enables Defender for Storage to monitor access patterns and detect malicious activities across storage accounts. |
| Configure Microsoft Defender for Containers to be enabled | Enables Defender for Containers to protect containerized workloads across AKS and container registries. |
| Configure Azure Kubernetes Service clusters to enable Defender profile | Ensures AKS clusters have the Defender security profile enabled for runtime threat protection. |
| Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Deploys the Azure Policy add-on to AKS clusters to enforce governance and security policies. |
| Configure Microsoft Defender for Key Vault plan | Enables Defender for Key Vault to detect suspicious access and potential exploitation attempts. |
| Configure Azure Defender for Resource Manager to be enabled | Enables Defender for Resource Manager to detect anomalous and malicious ARM operations. |
| Configure Azure Defender for Azure SQL database to be enabled | Enables Defender for Azure SQL Database to provide threat detection and vulnerability assessment. |
| Configure Microsoft Defender for Azure Cosmos DB to be enabled | Enables Defender for Cosmos DB to detect anomalous database activities. |
| Configure Microsoft Defender CSPM plan | Enables the Cloud Security Posture Management (CSPM) plan within Defender for Cloud. |
| Deploy Microsoft Defender for Cloud Security Contacts | Configures security contact details and notification preferences for Defender for Cloud alerts. |
| Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data | Configures continuous export of Defender for Cloud alerts and recommendations to Log Analytics. |
| Setup subscriptions to transition to an alternative vulnerability assessment solution | Configures subscriptions to migrate from legacy vulnerability assessment solutions to supported alternatives. |
| Policy Display Name | Description |
|---|---|
| Deploy Diagnostic Settings for Storage Accounts – Blob (Security Logs) | Deploys diagnostic settings to collect and send Azure Storage Blob service security logs to Log Analytics. |
| Deploy Diagnostic Settings for Storage Accounts – File (Security Logs) | Deploys diagnostic settings to collect and send Azure Storage File service security logs to Log Analytics. |
| Deploy Diagnostic Settings for Storage Accounts – Queue (Security Logs) | Deploys diagnostic settings to collect and send Azure Storage Queue service security logs to Log Analytics. |
| Deploy Diagnostic Settings for Storage Accounts – Table (Security Logs) | Deploys diagnostic settings to collect and send Azure Storage Table service security logs to Log Analytics. |
| Policy Display Name | Description |
|---|---|
| Enable logging by category group for Azure AD Domain Services (microsoft.aad/domainservices) to Log Analytics | Enables diagnostic logs and metrics for Azure AD Domain Services using category groups and sends them to Log Analytics. |
| Enable logging by category group for Azure FarmBeats (microsoft.agfoodplatform/farmbeats) to Log Analytics | Configures FarmBeats resource diagnostic logging via category groups to Log Analytics. |
| Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics | Enables API Management gateway, audit, and operational logs using category groups. |
| Enable logging by category group for Container Apps Environments (microsoft.app/managedenvironments) to Log Analytics | Streams Container Apps environment diagnostics and runtime logs. |
| Enable logging by category group for App Configuration (microsoft.appconfiguration/configurationstores) to Log Analytics | Enables configuration store access and operational logs. |
| Enable logging by category group for Attestation providers (microsoft.attestation/attestationproviders) to Log Analytics | Configures attestation request and audit diagnostics. |
| Enable logging by category group for Automation Accounts (microsoft.automation/automationaccounts) to Log Analytics | Streams job, runbook, and operational logs. |
| Enable logging by category group for AVS Private clouds (microsoft.avs/privateclouds) to Log Analytics | Enables Azure VMware Solution infrastructure diagnostics. |
| Enable logging by category group for Playwright Testing (microsoft.azureplaywrightservice/accounts) to Log Analytics | Streams Playwright testing execution and service diagnostics. |
| Enable logging by category group for microsoft.azuresphere/catalogs to Log Analytics | Enables Azure Sphere catalog operational and security logs. |
| Enable logging by category group for Batch accounts (microsoft.batch/batchaccounts) to Log Analytics | Streams Batch job, task, and pool diagnostics. |
| Enable logging by category group for Azure Cache for Redis (microsoft.cache/redis) to Log Analytics | Enables Redis cache connection and performance logs. |
| Enable logging by category group for Caches (microsoft.cache/redisenterprise/databases) to Log Analytics | Streams Redis Enterprise database diagnostics. |
| Enable logging by category group for Front Door and CDN profiles (microsoft.cdn/profiles) to Log Analytics | Enables access, routing, and WAF logs for CDN/Front Door profiles. |
| Enable logging by category group for Chaos Experiments (microsoft.chaos/experiments) to Log Analytics | Streams chaos experiment execution diagnostics. |
| Enable logging by category group for Code Signing Accounts (microsoft.codesigning/codesigningaccounts) to Log Analytics | Enables code signing operations and audit logs. |
| Enable logging by category group for Cognitive Services (microsoft.cognitiveservices/accounts) to Log Analytics | Streams AI service request and audit diagnostics. |
| Enable logging by category group for microsoft.community/communitytrainings to Log Analytics | Enables Community Training platform diagnostics. |
| Enable logging by category group for Managed CCF Apps (microsoft.confidentialledger/managedccfs) to Log Analytics | Streams Confidential Consortium Framework diagnostics. |
| Enable logging by category group for Container registries (microsoft.containerregistry/registries) to Log Analytics | Enables image push/pull and audit logs. |
| Enable logging by category group for Azure Managed Grafana (microsoft.dashboard/grafana) to Log Analytics | Streams Grafana access and operational diagnostics. |
| Enable logging by category group for microsoft.dbformysql/flexibleservers to Log Analytics | Enables MySQL Flexible Server diagnostics. |
| Enable logging by category group for microsoft.dbforpostgresql/flexibleservers to Log Analytics | Streams PostgreSQL Flexible Server logs. |
| Enable logging by category group for Dev centers (microsoft.devcenter/devcenters) to Log Analytics | Enables Dev Center project and environment diagnostics. |
| Enable logging by category group for IoT Hub (microsoft.devices/iothubs) to Log Analytics | Streams device telemetry and operations logs. |
| Enable logging by category group for microsoft.documentdb/cassandraclusters to Log Analytics | Enables Cassandra API cluster diagnostics. |
| Enable logging by category group for Azure Cosmos DB accounts (microsoft.documentdb/databaseaccounts) to Log Analytics | Streams Cosmos DB request and control plane logs. |
| Enable logging by category group for microsoft.documentdb/mongoclusters to Log Analytics | Enables Mongo cluster diagnostics. |
| Enable logging by category group for Event Grid Domains (microsoft.eventgrid/domains) to Log Analytics | Streams domain publish and delivery logs. |
| Enable logging by category group for Event Grid Partner Namespaces (microsoft.eventgrid/partnernamespaces) to Log Analytics | Enables partner event routing diagnostics. |
| Enable logging by category group for Event Grid Topics (microsoft.eventgrid/topics) to Log Analytics | Streams topic publish and delivery logs. |
| Enable logging by category group for Event Hubs Namespaces (microsoft.eventhub/namespaces) to Log Analytics | Enables Event Hubs operational diagnostics. |
| Enable logging by category group for Managed HSMs (microsoft.keyvault/managedhsms) to Log Analytics | Streams Managed HSM audit and access logs. |
| Enable logging by category group for Key vaults (microsoft.keyvault/vaults) to Log Analytics | Enables Key Vault access and audit diagnostics. |
| Enable logging by category group for Azure Data Explorer Clusters (microsoft.kusto/clusters) to Log Analytics | Streams Kusto query and command logs. |
| Enable logging by category group for Azure Load Testing (microsoft.loadtestservice/loadtests) to Log Analytics | Enables load test execution diagnostics. |
| Enable logging by category group for microsoft.machinelearningservices/registries to Log Analytics | Streams ML registry asset operations. |
| Enable logging by category group for Azure Machine Learning (microsoft.machinelearningservices/workspaces) to Log Analytics | Enables workspace experiment and job diagnostics. |
| Enable logging by category group for Media Services (microsoft.media/mediaservices) to Log Analytics | Streams media processing diagnostics. |
| Enable logging by category group for Video Analyzers (microsoft.media/videoanalyzers) to Log Analytics | Enables video analytics pipeline logs. |
| Enable logging by category group for Live events (microsoft.media/mediaservices/liveevents) to Log Analytics | Streams live streaming diagnostics. |
| Enable logging by category group for Streaming Endpoints (microsoft.media/mediaservices/streamingendpoints) to Log Analytics | Enables streaming delivery diagnostics. |
| Enable logging by category group for Volumes (microsoft.netapp/netappaccounts/capacitypools/volumes) to Log Analytics | Streams Azure NetApp Files volume diagnostics. |
| Enable logging by category group for Bastions (microsoft.network/bastionhosts) to Log Analytics | Enables Bastion connection and audit logs. |
| Enable logging by category group for Front Door and CDN profiles (microsoft.network/frontdoors) to Log Analytics | Streams Front Door routing and access diagnostics. |
| Enable logging by category group for Network Managers (microsoft.network/networkmanagers) to Log Analytics | Enables network manager configuration logs. |
| Enable logging by category group for microsoft.network/networkmanagers/ipampools to Log Analytics | Streams IPAM pool diagnostics. |
| Enable logging by category group for microsoft.network/p2svpngateways to Log Analytics | Enables Point-to-Site VPN diagnostics. |
| Enable logging by category group for Public IP addresses (microsoft.network/publicipaddresses) to Log Analytics | Streams Public IP resource diagnostics. |
| Enable logging by category group for Public IP Prefixes (microsoft.network/publicipprefixes) to Log Analytics | Enables Public IP prefix diagnostics. |
| Enable logging by category group for Virtual network gateways (microsoft.network/virtualnetworkgateways) to Log Analytics | Streams VPN gateway diagnostics. |
| Enable logging by category group for microsoft.networkanalytics/dataproducts to Log Analytics | Enables Network Analytics diagnostics. |
| Enable logging by category group for Notification Hub Namespaces (microsoft.notificationhubs/namespaces) to Log Analytics | Streams namespace operational logs. |
| Enable logging by category group for microsoft.notificationhubs/namespaces/notificationhubs to Log Analytics | Enables Notification Hub instance diagnostics. |
| Enable logging by category group for Log Analytics workspaces (microsoft.operationalinsights/workspaces) to Log Analytics | Streams workspace operational diagnostics. |
| Enable logging by category group for Microsoft Purview accounts (microsoft.purview/accounts) to Log Analytics | Enables Purview governance and scan logs. |
| Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics | Streams search query and service diagnostics. |
| Enable logging by category group for Service Bus Namespaces (microsoft.servicebus/namespaces) to Log Analytics | Enables messaging and operational logs. |
| Enable logging by category group for SignalR (microsoft.signalrservice/signalr) to Log Analytics | Streams SignalR connectivity diagnostics. |
| Enable logging by category group for Web PubSub Service (microsoft.signalrservice/webpubsub) to Log Analytics | Enables Web PubSub messaging diagnostics. |
| Enable logging by category group for SQL managed instances (microsoft.sql/managedinstances) to Log Analytics | Streams SQL MI security and operational logs. |
| Enable logging by category group for SQL databases (microsoft.sql/servers/databases) to Log Analytics | Enables Azure SQL Database diagnostics. |
| Enable logging by category group for Azure Synapse Analytics (microsoft.synapse/workspaces) to Log Analytics | Streams Synapse workspace diagnostics. |
| Enable logging by category group for Apache Spark pools (microsoft.synapse/workspaces/bigdatapools) to Log Analytics | Enables Spark pool execution logs. |
| Enable logging by category group for microsoft.synapse/workspaces/kustopools to Log Analytics | Streams Synapse Kusto pool diagnostics. |
| Enable logging by category group for SCOPE pools (microsoft.synapse/workspaces/scopepools) to Log Analytics | Enables SCOPE execution diagnostics. |
| Enable logging by category group for Dedicated SQL pools (microsoft.synapse/workspaces/sqlpools) to Log Analytics | Streams dedicated SQL pool diagnostics. |
| Enable logging by category group for App Service Environments (microsoft.web/hostingenvironments) to Log Analytics | Enables ASE infrastructure and app diagnostics. |
| Enable logging by category group for microsoft.workloads/sapvirtualinstances to Log Analytics | Streams SAP workload infrastructure diagnostics. |
This scope also inherits all the policy assignments from the Jumpstart root and platform management group scopes.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Enable-DDoS-VNET" | Policy | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. |
This scope also inherits all the policy assignments from the Jumpstart root and platform management group scopes.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deny-Public-IP" | Custom Policy | This policy denies creation of Public IPs under the assigned scope. |
| "Deny-RDP-From-Internet" | Custom Policy | This policy denies any network security rule that allows RDP access from Internet. |
| "Deny-Subnet-Without-Nsg" | Custom Policy | This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets. |
| "Deploy-VM-Backup" | Policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. |
This scope also inherits all the policy assignments from the Jumpstart root and platform management group scopes.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deploy-Log-Analytics" | Policy | Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is a prerequisite for solutions like Updates and Change Tracking. |
This scope also inherits all the policy assignments from the Jumpstart root.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deny-IP-Forwarding" | Policy | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team. |
| "Deny-RDP-From-Internet" | Custom Policy | This policy denies any network security rule that allows RDP access from Internet. |
| "Deny-Resource-Types" | Policy | Specifies the Resource Types to deny deployment by policy. |
| "Deny-Subnet-Without-Nsg" | Custom Policy | This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets. |
| "Deny-Storage-http" | Policy | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking. |
| "Deploy-AKS-Policy" | Policy | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc. |
| "Deploy-SQL-DB-Auditing" | Policy | Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |
| "Deploy-SQL-Threat" | Policy | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. |
| "Deploy-VM-Backup" | Policy | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. |
| "Deny-Priv-Escalation-AKS" | Policy | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
| "Deny-Priv-Containers-AKS" | Policy | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc. |
| "Enable-DDoS-VNET" | Policy | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. |
| "Enforce-AKS-HTTPS" | Policy | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc. |
| "Enforce-TLS-SSL" | Custom Policy | Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. |
This scope also inherits all the policy assignments from the Jumpstart root and landing zones management group scopes.
| Policy Assignment Name | Definition Type | Description |
|---|---|---|
| "Deny-Public-Endpoints" | Custom Initiative | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints. |
| "Deploy-Private-DNS-Zones" | Custom Initiative | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones. |
| "Deny-Databricks-Sku" | Custom Policy | This policy Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID. |
| "Deny-Databricks-VirtualNetwork" | Custom Policy | This policy Enforces the use of vnet injection for Databricks workspaces. |
| "Deny-Databricks-NoPublicIp" | Custom Policy | This policy Prevent the deployment of Databricks workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs. |
| Policy Display Name | Description |
|---|---|
| Logic apps should disable public network access | Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. (azadvertizer.net) |
| API Management should disable public network access to the service configuration endpoints | Prevents creation of a public endpoint for API Management service configuration. (github.com) |
| Public network access should be disabled for PaaS services | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints. (azadvertizer.net) |
| Deny‑PublicEndpoint‑CosmosDB | Denies creation of public endpoints on Azure Cosmos DB resources. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑MariaDB | Denies creation of public endpoints on Azure Database for MariaDB servers. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑MySQL | Denies creation of public endpoints on Azure Database for MySQL servers. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑PostgreSql | Denies creation of public endpoints on Azure Database for PostgreSQL servers. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑KeyVault | Denies creation of public endpoints on Key Vaults. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑Sql | Denies creation of public endpoints on Azure SQL resources. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑Storage | Denies creation of public endpoints on Storage accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑AKS | Denies creation of public endpoints on Azure Kubernetes Service clusters. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑AppConfig | Denies creation of public endpoints on Azure App Configuration resources. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑Automation | Denies creation of public endpoints on Azure Automation Accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑EventHub | Denies creation of public endpoints on Event Hubs namespaces. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑ServiceBus | Denies creation of public endpoints on Service Bus namespaces. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑StorageQueue | Denies creation of public endpoints on Storage Queue service. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑StorageTable | Denies creation of public endpoints on Storage Table service. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑StorageBlob | Denies creation of public endpoints on Storage Blob service. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑StorageFile | Denies creation of public endpoints on Storage File service. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑KeyVaultManagedHSM | Denies creation of public endpoints on Managed HSM instances. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBCassandra | Denies creation of public endpoints on Azure Cosmos DB Cassandra API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBMongo | Denies creation of public endpoints on Azure Cosmos DB Mongo API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBGremlin | Denies creation of public endpoints on Azure Cosmos DB Gremlin API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBSQL | Denies creation of public endpoints on Azure Cosmos DB SQL API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑CosmosDBTable | Denies creation of public endpoints on Azure Cosmos DB Table API accounts. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑AppService | Denies creation of public endpoints on App Service plans and web apps. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑FunctionApp | Denies creation of public endpoints on Azure Function Apps. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑EventHubCapture | Denies creation of public endpoints on Event Hub Capture enabled namespaces. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑ServiceBusPremium | Denies creation of public endpoints on Service Bus Premium SKUs. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑ContainerRegistry | Denies creation of public endpoints on Azure Container Registries. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑RedisCacheStandard | Denies creation of public endpoints on Redis Cache Standard SKUs. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑RedisCachePremium | Denies creation of public endpoints on Redis Cache Premium SKUs. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑EventGrid | Denies creation of public endpoints on Event Grid topics and domains. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑SignalR | Denies creation of public endpoints on SignalR Service instances. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑ServiceFabric | Denies creation of public endpoints on Service Fabric clusters. (techcommunity.microsoft.com) |
| Deny‑PublicEndpoint‑SpringApps | Denies creation of public endpoints on Azure Spring Apps. (techcommunity.microsoft.com) |
| Policy Display Name | Description |
|---|---|
| Deploy-PrivateDNS-AKS | Configure Azure Kubernetes Service clusters to use private DNS zones for their private endpoints. |
| Deploy-PrivateDNS-AppConfig | Configure Azure App Configuration resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-AppService | Configure Azure App Service plans and apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Automation | Configure Azure Automation Accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Batch | Configure Azure Batch accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CognitiveServices | Configure Cognitive Services resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ContainerRegistry | Configure Container Registries to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDB | Configure Azure Cosmos DB accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-EventGrid | Configure Event Grid topics and domains to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-EventHub | Configure Event Hub namespaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-KeyVault | Configure Key Vaults to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-LogicApps | Configure Logic Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-MySQL | Configure Azure Database for MySQL servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PostgreSQL | Configure Azure Database for PostgreSQL servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-RedisCache | Configure Redis Cache instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SQLDB | Configure Azure SQL Databases to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Storage | Configure Storage accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Synapse | Configure Azure Synapse Analytics workspaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-WebPubSub | Configure Azure Web PubSub service instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SpringApps | Configure Azure Spring Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-APIManagement | Configure API Management instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-AppInsights | Configure Application Insights resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FrontDoor | Configure Front Door Standard/Premium to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FrontDoorClassic | Configure classic Front Door instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FrontDoorPremium | Configure Front Door Premium to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SignalR | Configure SignalR Service instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ContainerApps | Configure Azure Container Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageBlob | Configure Storage Blob service to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageQueue | Configure Storage Queue service to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageTable | Configure Storage Table service to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageFile | Configure Storage File service to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PrivateLinkScope | Configure Private Link Scope resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-DataFactory | Configure Data Factory instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-HDInsight | Configure HDInsight clusters to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Search | Configure Azure Cognitive Search resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-EventHubCapture | Configure Event Hub Capture enabled namespaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-Bastion | Configure Azure Bastion hosts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-VPNGateway | Configure Virtual Network Gateways to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-LoadBalancer | Configure Standard Load Balancers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-NIC | Configure Network Interfaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SQLMI | Configure SQL Managed Instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PostgreSQLArc | Configure Azure Arc-enabled PostgreSQL Hyperscale instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SQLMIArc | Configure Azure Arc-enabled SQL Managed Instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-MariaDB | Configure Azure Database for MariaDB servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-MySQLFlexible | Configure Azure Database for MySQL Flexible servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PostgreSQLFlexible | Configure Azure Database for PostgreSQL Flexible servers to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBCassandra | Configure Cosmos DB Cassandra API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBMongo | Configure Cosmos DB Mongo API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBSQL | Configure Cosmos DB SQL API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBGremlin | Configure Cosmos DB Gremlin API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CosmosDBTable | Configure Cosmos DB Table API accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-MediaServices | Configure Media Services accounts to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-CommunicationServices | Configure Azure Communication Services to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FrontDoorManagement | Configure Front Door management endpoints to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-AppServiceEnvironment | Configure App Service Environment to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SpringCloud | Configure Azure Spring Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-WebApp | Configure Web Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-FunctionApp | Configure Azure Function Apps to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StreamAnalytics | Configure Stream Analytics jobs to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-EventHubNamespace | Configure Event Hub namespaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ServiceBusNamespace | Configure Service Bus namespaces to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-RedisCachePremium | Configure Redis Cache Premium SKUs to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-RedisCacheStandard | Configure Redis Cache Standard SKUs to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ApplicationGateway | Configure Application Gateway to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-ExpressRoute | Configure ExpressRoute instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-VNetGatewayHighPerf | Configure High-Performance Virtual Network Gateways to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-NetworkWatcher | Configure Network Watcher resources to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-SignalRStandard | Configure SignalR Service Standard/Premium to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-PrivateLinkService | Configure Private Link Services to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-AppConfigAdvanced | Configure advanced App Configuration instances to use private DNS zones for private endpoints. |
| Deploy-PrivateDNS-StorageAdvanced | Configure advanced Storage Accounts to use private DNS zones for private endpoints. |
Terraform IaC via Azure DevOps pipelines.
It is part of the Jumpstart rollout.
Each definition and assignment deployed with Jumpstart can be managed as per customer requirements via Azure Portal.
To manage each definition and assignment deployed with Jumpstart, requires Jumpstart Azure platform owner for Platform subscriptions and management groups. Landing Zone owner access is required for modifying definitions and assignments deployed with Landing zone scope.