diff --git a/README.md b/README.md
index 1cc1f0b..30e1f29 100644
--- a/README.md
+++ b/README.md
@@ -42,7 +42,7 @@ You can deploy the following reference implementations to your Azure subscriptio
| Reference Implementation | Description | Deploy | Instructions
|:----------|:-------------------------|:------------|:-------|
-| Enterprise Azure OpenAI Hub | Provides an onramp path for Gen AI use cases while ensuring a secure-by-default Azure Open AI workload composition into your Azure regions and subscriptions | 
| [User Guide](./docs/EnterpriseAzureOpenAIHub.md) |
+| Enterprise Azure OpenAI Hub | Provides an onramp path for Gen AI use cases while ensuring a secure-by-default Azure Open AI workload composition into your Azure regions and subscriptions | [](https://aka.ms/DeploySecureGenAI)| [User Guide](./docs/EnterpriseAzureOpenAIHub.md) |
### Things that matters
diff --git a/docs/EnterpriseAzureOpenAIHub.md b/docs/EnterpriseAzureOpenAIHub.md
index 3146300..2a35d91 100644
--- a/docs/EnterpriseAzureOpenAIHub.md
+++ b/docs/EnterpriseAzureOpenAIHub.md
@@ -21,7 +21,7 @@ The reference implementation has been developed, validated, and proven with seve
| Reference Implementation | Description | Deploy | Instructions
|:----------|:-------------------------|:------------|:-------|
-| Enterprise Azure OpenAI Hub | Provides an onramp path for Gen AI use cases while ensuring a secure-by-default Azure Open AI workload composition into your Azure regions and subscriptions | 
| You are already here :star: :smiley: |
+| Enterprise Azure OpenAI Hub | Provides an onramp path for Gen AI use cases while ensuring a secure-by-default Azure Open AI workload composition into your Azure regions and subscriptions | [](https://aka.ms/DeploySecureGenAI) | You are already here :star: :smiley: |
## What is Enterprise Azure OpenAI Hub?
diff --git a/docs/deploytomicrosoftcloud.svg b/docs/deploytomicrosoftcloud.svg
new file mode 100644
index 0000000..43edee5
--- /dev/null
+++ b/docs/deploytomicrosoftcloud.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/enablement/README.md b/enablement/README.md
new file mode 100644
index 0000000..778b3f8
--- /dev/null
+++ b/enablement/README.md
@@ -0,0 +1,16 @@
+# Recommended Azure policies for the Enterprise Azure OpenAI Hub
+
+If you are reading this, you may be on point for Azure service enablement within your organization, and you want to ensure that the Azure OpenAI service alongside with the requisite auxiliary services are deployed with the right configuration, and that the configuration is maintained over time.
+
+Well, in that case, you are at the right place as we provide you with the recommended Azure policies and allows you to deploy them easily to your Management Groups in Azure, with the assumption you have a uniformed approach towards your subscription organizations :smile:
+
+| Azure Policy Initiatives | Description | Deploy
+|:----------|:-------------------------|:------------|
+| Secure and Compliant Azure OpenAI | Preventive and proactive policies to ensure Azure OpenAI conforms to strict security requirements | [](https://aka.ms/DeploySecureGenAI) |
+| Secure and Compliant Azure Key Vault | Preventive and proactive policies to ensure Azure Key Vault conforms to strict security requirements | [](https://aka.ms/DeploySecureGenAI) |
+| Secure and Compliant Azure Storage | Preventive and proactive policies to ensure Azure Storage conforms to strict security requirements | [](https://aka.ms/DeploySecureGenAI) |
+| Secure and Compliant Azure Web App | Preventive and proactive policies to ensure Azure Web App conforms to strict security requirements | [](https://aka.ms/DeploySecureGenAI) |
+| Secure and Compliant API Management | Preventive and proactive policies to ensure API Management conforms to strict security requirements | [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fai-hub%2Fmain%2Fenablement%2Fpolicies%2Fapim%2FaCompliant-APIManagementPolicySetDefinition.json/uiFormDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fai-hub%2Fmain%2Fenablement%2Fpolicies%2Fapim%2FCompliantApim.json) |
+| Secure and Compliant Azure Networking | Preventive and proactive policies to ensure Azure Networking conforms to strict security requirements | [](https://aka.ms/DeploySecureGenAI) |
+| Secure and Compliant Azure AI Search | Preventive and proactive policies to ensure Azure AI Search conforms to strict security requirements | [](https://aka.ms/DeploySecureGenAI) |
+| Secure and Compliant Azure Data Factory | Preventive and proactive policies to ensure Azure Data Factory conforms to strict security requirements | [](https://aka.ms/DeploySecureGenAI) |
\ No newline at end of file
diff --git a/enablement/policies/aisearch/Compliant-CognitiveSearchPolicySetDefinition.json b/enablement/policies/aisearch/Compliant-CognitiveSearchPolicySetDefinition.json
new file mode 100644
index 0000000..d433c3f
--- /dev/null
+++ b/enablement/policies/aisearch/Compliant-CognitiveSearchPolicySetDefinition.json
@@ -0,0 +1,327 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "topLevelManagementGroupPrefix": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "variables": {
+ "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]",
+ "policies": {
+ "policyDefinitions": [
+ {
+ "properties": {
+ "policyType": "Custom",
+ "mode": "Indexed",
+ "displayName": "Deploy Diagnostic Settings for Cognitive Search to Log Analytics workspace",
+ "description": "Deploys the diagnostic settings for Cognitive Search to stream to a Log Analytics workspace when any Open Ai which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Cognitive Search"
+ },
+ "parameters": {
+ "logAnalytics": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Log Analytics workspace",
+ "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
+ "strongType": "omsWorkspace"
+ }
+ },
+ "effect": {
+ "type": "String",
+ "defaultValue": "DeployIfNotExists",
+ "allowedValues": [
+ "DeployIfNotExists",
+ "Disabled"
+ ],
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ }
+ },
+ "profileName": {
+ "type": "String",
+ "defaultValue": "setbypolicy",
+ "metadata": {
+ "displayName": "Profile name",
+ "description": "The diagnostic settings profile name"
+ }
+ }
+ },
+ "policyRule": {
+ "if": {
+ "field": "type",
+ "equals": "Microsoft.Search/searchServices"
+ },
+ "then": {
+ "effect": "[[parameters('effect')]",
+ "details": {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "name": "[[parameters('profileName')]",
+ "existenceCondition": {
+ "allOf": [
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+ "equals": "[[parameters('logAnalytics')]"
+ }
+ ]
+ },
+ "roleDefinitionIds": [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+ ],
+ "deployment": {
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "resourceName": {
+ "type": "String"
+ },
+ "logAnalytics": {
+ "type": "String"
+ },
+ "location": {
+ "type": "String"
+ },
+ "profileName": {
+ "type": "String"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Search/searchServices/providers/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+ "location": "[[parameters('location')]",
+ "dependsOn": [],
+ "properties": {
+ "workspaceId": "[[parameters('logAnalytics')]",
+ "logs": [
+ {
+ "categoryGroup": "allLogs",
+ "enabled": true
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {}
+ },
+ "parameters": {
+ "logAnalytics": {
+ "value": "[[parameters('logAnalytics')]"
+ },
+ "location": {
+ "value": "[[field('location')]"
+ },
+ "resourceName": {
+ "value": "[[field('name')]"
+ },
+ "profileName": {
+ "value": "[[parameters('profileName')]"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "Dine-Diagnostics-CognitiveSearch"
+ }
+ ]
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "name": "[variables('policies').policyDefinitions[copyIndex()].name]",
+ "apiVersion": "2019-09-01",
+ "copy": {
+ "name": "policyDefinitionCopy",
+ "count": "[length(variables('policies').policyDefinitions)]"
+ },
+ "properties": {
+ "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]",
+ "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]",
+ "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]",
+ "policyType": "Custom",
+ "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]",
+ "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]",
+ "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]"
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/policySetDefinitions",
+ "apiVersion": "2021-06-01",
+ "name": "Compliant-CognitiveSearch",
+ "dependsOn": [
+ "policyDefinitionCopy"
+ ],
+ "properties": {
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Cognitive Search"
+ },
+ "displayName": "Enforce secure-by-default Cognitive Search for regulated industries",
+ "description": "This policy initiative is a group of policies that ensures Cognitive Search is compliant per regulated Landing Zones",
+ "policyDefinitionGroups": [
+ {
+ "name": "Encryption",
+ "category": "Data Protection",
+ "displayName": "Ensure compliance for data encryption, protection, and recovery for Cognitive Search",
+ "description": "Policy to ensure data protection for Cognitive Search"
+ },
+ {
+ "name": "Network",
+ "category": "Network Security",
+ "displayName": "Ensure Cognitive Search is not accessible over the public internet",
+ "description": "Policy to ensure Cognitive Search not accessible over the public internet"
+ },
+ {
+ "name": "Identity",
+ "category": "Identity Management",
+ "displayName": "Ensure usage of centralized identity and auhtorization system for Cognitive Search",
+ "description": "Policy to ensure Cognitive Search is not using local authorization"
+ },
+ {
+ "name": "Logging",
+ "category": "Logging and Threat Detection",
+ "displayName": "Ensure Cognitive Search is logging all events to Log Analytics",
+ "description": "Policy to ensure Cognitive Search is logging all events to Log Analytics workspace"
+ }
+ ],
+ "parameters": {
+ "cognitiveSearchDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "cognitiveSearchLogAnalyticsResourceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "cognitiveSearchSku": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveSearchPublicEndpoint": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveSearchLocalAuth": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveSearchCmk": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "modifyCognitiveSearchLocalAuth": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "modifyCognitiveSearchPublicEndpoint": {
+ "type": "string",
+ "defaultValue": "Modify"
+ }
+ },
+ "policyDefinitions": [
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]",
+ "policyDefinitionReferenceId": "Dine-CognitiveSearch-Diagnostics",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveSearchDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('cognitiveSearchLogAnalyticsResourceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83",
+ "policyDefinitionReferenceId": "Deny-CognitiveSearch-SKU",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveSearchSku')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3",
+ "policyDefinitionReferenceId": "Deny-CognitiveSearch-PublicEndpoint",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveSearchPublicEndpoint')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91",
+ "policyDefinitionReferenceId": "Deny-CongitiveSearch-LocalAuth",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveSearchLocalAuth')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f",
+ "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveSearchCmk')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75",
+ "policyDefinitionReferenceId": "Modify-CogntiveSearch-LocalAuth",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('modifyCognitiveSearchLocalAuth')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30",
+ "policyDefinitionReferenceId": "Modify-CogntiveSearch-PublicEndpoint",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('modifyCognitiveSearchPublicEndpoint')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/enablement/policies/apim/Compliant-APIManagementPolicySetDefinition.json b/enablement/policies/apim/Compliant-APIManagementPolicySetDefinition.json
new file mode 100644
index 0000000..b6bfaa2
--- /dev/null
+++ b/enablement/policies/apim/Compliant-APIManagementPolicySetDefinition.json
@@ -0,0 +1,425 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "topLevelManagementGroupPrefix": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "variables": {
+ "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]",
+ "policies": {
+ "policyDefinitions": [
+ {
+ "properties": {
+ "displayName": "API Management services should use a virtual network",
+ "mode": "Indexed",
+ "description": "Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network.",
+ "metadata": {
+ "version": "1.0.1",
+ "category": "API Management"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Audit",
+ "Deny",
+ "Disabled"
+ ],
+ "defaultValue": "Audit"
+ },
+ "evaluatedSkuNames": {
+ "type": "Array",
+ "metadata": {
+ "displayName": "API Management SKU Names",
+ "description": "List of API Management SKUs against which this policy will be evaluated."
+ },
+ "allowedValues": [
+ "Developer",
+ "Basic",
+ "Standard",
+ "Premium",
+ "Consumption"
+ ],
+ "defaultValue": [
+ "Developer",
+ "Premium"
+ ]
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.ApiManagement/service"
+ },
+ {
+ "field": "Microsoft.ApiManagement/service/sku.name",
+ "in": "[[parameters('evaluatedSkuNames')]"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.ApiManagement/service/virtualNetworkType",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.ApiManagement/service/virtualNetworkType",
+ "equals": "None"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-APIM-WithOutVnet"
+ },
+ {
+ "properties": {
+ "displayName": "API Management services should use TLS version 1.2",
+ "mode": "Indexed",
+ "description": "Azure API Management service should use TLS version 1.2",
+ "metadata": {
+ "version": "1.0.1",
+ "category": "API Management"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "defaultValue": "Deny",
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ]
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.ApiManagement/service"
+ },
+ {
+ "anyOf": [
+ {
+ "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":\"true\"')]",
+ "greater": 0
+ },
+ {
+ "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls10\":true')]",
+ "greater": 0
+ },
+ {
+ "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":\"true\"')]",
+ "greater": 0
+ },
+ {
+ "value": "[[indexof(toLower(string(field('Microsoft.ApiManagement/service/customProperties'))), '\"microsoft.windowsazure.apimanagement.gateway.security.protocols.tls11\":true')]",
+ "greater": 0
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-APIM-TLS"
+ }
+ ]
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "name": "[variables('policies').policyDefinitions[copyIndex()].name]",
+ "apiVersion": "2019-09-01",
+ "copy": {
+ "name": "policyDefinitionCopy",
+ "count": "[length(variables('policies').policyDefinitions)]"
+ },
+ "properties": {
+ "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]",
+ "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]",
+ "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]",
+ "policyType": "Custom",
+ "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]",
+ "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]",
+ "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]"
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/policySetDefinitions",
+ "apiVersion": "2021-06-01",
+ "name": "Compliant-API-Management",
+ "dependsOn": [
+ "policyDefinitionCopy"
+ ],
+ "properties": {
+ "metadata": {
+ "version": "1.0.0",
+ "category": "API Management"
+ },
+ "displayName": "Enforce secure-by-default API Management for regulated industries",
+ "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones",
+ "policyDefinitionGroups": [
+ {
+ "name": "Encryption",
+ "category": "Data Protection",
+ "displayName": "Ensure API Management is using secure encryption",
+ "description": "Policy to ensure API Management is using secure encryption"
+ },
+ {
+ "name": "Network",
+ "category": "Network Security",
+ "displayName": "Ensure API Management is not accessible over the public internet",
+ "description": "Policy to ensure API Management is not accessible over the public internet"
+ },
+ {
+ "name": "Identity",
+ "category": "Identity Management",
+ "displayName": "Ensure usage of centralized identity and auhtorization system for API Management",
+ "description": "Policy to ensure API Management is not using local authorization"
+ },
+ {
+ "name": "Logging",
+ "category": "Logging and Threat Detection",
+ "displayName": "Ensure API Management is logging all events to Log Analytics",
+ "description": "Policy to ensure API Management is logging all events to Log Analytics workspace"
+ }
+ ],
+ "parameters": {
+ "apiSubscriptionScope": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "minimumApiVersion": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "apimSkuVnet": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "apimDisablePublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "apimApiBackendCertValidation": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "apimDirectApiEndpoint": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "apimCallApiAuthn": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "apimEncryptedProtocols": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "apimVnetUsage": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "apimSecrets": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "apimDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "apimLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "apimLogsCategory": {
+ "type": "string",
+ "defaultValue": "allLogs"
+ },
+ "apimTls": {
+ "type": "string",
+ "defaultValue": "Deny"
+ }
+ },
+ "policyDefinitions": [
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/567c93f7-3661-494f-a30f-0a94d9bfebf8",
+ "policyDefinitionReferenceId": "Dine-Apim-Diagnostics",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('apimLogAnalyticsWorkspaceId')]"
+ },
+ "categoryGroup": {
+ "value": "[[parameters('apimLogsCategory')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249",
+ "policyDefinitionReferenceId": "Deny-Apim-without-Kv",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimSecrets')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]",
+ "policyDefinitionReferenceId": "Deny-Apim-without-Vnet",
+ "groupNames": [
+ "Encryption",
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimVnetUsage')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]",
+ "policyDefinitionReferenceId": "Deny-APIM-TLS",
+ "groupNames": [
+ "Encryption",
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimTls')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4",
+ "policyDefinitionReferenceId": "Deny-Apim-Protocols",
+ "groupNames": [
+ "Encryption",
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimEncryptedProtocols')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54",
+ "policyDefinitionReferenceId": "Deny-Apim-Authn",
+ "groupNames": [
+ "Encryption",
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimCallApiAuthn')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4",
+ "policyDefinitionReferenceId": "Deny-Apim-Direct-Endpoint",
+ "groupNames": [
+ "Encryption",
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimDirectApiEndpoint')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4",
+ "policyDefinitionReferenceId": "Deny-Apim-Cert-Validation",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimApiBackendCertValidation')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2",
+ "policyDefinitionReferenceId": "Dine-Apim-Public-NetworkAccess",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimDisablePublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5",
+ "policyDefinitionReferenceId": "Deny-Apim-Sku-Vnet",
+ "groupNames": [
+ "Encryption",
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apimSkuVnet')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67",
+ "policyDefinitionReferenceId": "Deny-Apim-Version",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('minimumApiVersion')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1",
+ "policyDefinitionReferenceId": "Deny-Api-subscription-scope",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apiSubscriptionScope')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/enablement/policies/apim/CompliantApim.json b/enablement/policies/apim/CompliantApim.json
new file mode 100644
index 0000000..dd77e79
--- /dev/null
+++ b/enablement/policies/apim/CompliantApim.json
@@ -0,0 +1,44 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2021-09-09/uiFormDefinition.schema.json#",
+ "view": {
+ "kind": "Form",
+ "properties": {
+ "title": "Secure and Compliant APIM for Enterprise Scale Azure OpenAI Hub",
+ "steps": [
+ {
+ "name": "basics",
+ "label": "Policy Initiative",
+ "elements": [
+ {
+ "name": "PolicyInfo",
+ "type": "Microsoft.Common.InfoBox",
+ "visible": true,
+ "options": {
+ "text": "The following policy definitions will be created for APIM: - API Management services should use a virtual network
- API Management services should use TLS version 1.2
- Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics
- API Management secret named values should be stored in Azure Key Vault
- API Management APIs should use only encrypted protocols
- API Management calls to API backends should be authenticated
- API Management direct management endpoint should not be enabled
- API Management calls to API backends should not bypass certificate thumbprint or name validation
- Configure API Management services to disable access to API Management public service configuration endpoints
- API Management service should use a SKU that supports virtual networks
- API Management minimum API version should be set to 2019-12-01 or higher
- API Management subscriptions should not be scoped to all APIs
",
+ "uri": "https://github.com/Azure/ai-hub/blob/main/docs/security.md#api-management",
+ "style": "Info"
+ }
+ },
+ {
+ "name": "resourceScope",
+ "type": "Microsoft.Common.ResourceScope",
+ "location": {
+ "resourceTypes": []
+ }
+ }
+ ]
+ }
+ ],
+ "deployment": {
+ "kind": "ManagementGroup",
+ "location": "[steps('basics').resourceScope.location.name]",
+ "managementGroupId": "[steps('basics').resourceScope.managementGroup.id]",
+ "parameters": {
+ "topLevelManagementGroupPrefix": {
+ "value": "[steps('basics').resourceScope.managementGroup.id]"
+ }
+ }
+ }
+ }
+ }
+}
\ No newline at end of file
diff --git a/enablement/policies/azureopenai/Compliant-OpenAiPolicySetDefinition.json b/enablement/policies/azureopenai/Compliant-OpenAiPolicySetDefinition.json
new file mode 100644
index 0000000..76096a5
--- /dev/null
+++ b/enablement/policies/azureopenai/Compliant-OpenAiPolicySetDefinition.json
@@ -0,0 +1,584 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "topLevelManagementGroupPrefix": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "variables": {
+ "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]",
+ "policies": {
+ "policyDefinitions": [
+ {
+ "properties": {
+ "displayName": "Outbound network access should be restricted for Cognitive Services",
+ "mode": "Indexed",
+ "description": "Azure Cognitive Services allow restricting outbound network access. Enable this to limit outbound connectivity for the service.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Cognitive Services"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.CognitiveServices/accounts"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.CognitiveServices/accounts/restrictOutboundNetworkAccess",
+ "notEquals": true
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-CognitiveServices-RestrictOutboundNetworkAccess"
+ },
+ {
+ "properties": {
+ "displayName": "Network ACLs should be restricted for Cognitive Services",
+ "mode": "Indexed",
+ "description": "Azure Cognitive Services should not allow adding individual IPs or virtual network rules to the service-level firewall. Enable this to restrict inbound network access and enforce the usage of private endpoints.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Cognitive Services"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.CognitiveServices/accounts"
+ },
+ {
+ "anyOf": [
+ {
+ "count": {
+ "field": "Microsoft.CognitiveServices/accounts/networkAcls.ipRules[*]"
+ },
+ "greater": 0
+ },
+ {
+ "count": {
+ "field": "Microsoft.CognitiveServices/accounts/networkAcls.virtualNetworkRules[*]"
+ },
+ "greater": 0
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-CognitiveServices-NetworkAcls"
+ },
+ {
+ "properties": {
+ "policyType": "Custom",
+ "mode": "Indexed",
+ "displayName": "Deploy Diagnostic Settings for Open Ai (Cognitive Services) to Log Analytics workspace",
+ "description": "Deploys the diagnostic settings for Open Ai (Cognitive Services) to stream to a Log Analytics workspace when any Open Ai which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Cognitive Services"
+ },
+ "parameters": {
+ "logAnalytics": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Log Analytics workspace",
+ "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
+ "strongType": "omsWorkspace"
+ }
+ },
+ "effect": {
+ "type": "String",
+ "defaultValue": "DeployIfNotExists",
+ "allowedValues": [
+ "DeployIfNotExists",
+ "Disabled"
+ ],
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ }
+ },
+ "profileName": {
+ "type": "String",
+ "defaultValue": "setbypolicy",
+ "metadata": {
+ "displayName": "Profile name",
+ "description": "The diagnostic settings profile name"
+ }
+ }
+ },
+ "policyRule": {
+ "if": {
+ "field": "type",
+ "equals": "Microsoft.CognitiveServices/accounts"
+ },
+ "then": {
+ "effect": "[[parameters('effect')]",
+ "details": {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "name": "[[parameters('profileName')]",
+ "existenceCondition": {
+ "allOf": [
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+ "equals": "[[parameters('logAnalytics')]"
+ }
+ ]
+ },
+ "roleDefinitionIds": [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+ ],
+ "deployment": {
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "resourceName": {
+ "type": "String"
+ },
+ "logAnalytics": {
+ "type": "String"
+ },
+ "location": {
+ "type": "String"
+ },
+ "profileName": {
+ "type": "String"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+ "location": "[[parameters('location')]",
+ "dependsOn": [],
+ "properties": {
+ "workspaceId": "[[parameters('logAnalytics')]",
+ "logs": [
+ {
+ "categoryGroup": "allLogs",
+ "enabled": true
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {}
+ },
+ "parameters": {
+ "logAnalytics": {
+ "value": "[[parameters('logAnalytics')]"
+ },
+ "location": {
+ "value": "[[field('location')]"
+ },
+ "resourceName": {
+ "value": "[[field('name')]"
+ },
+ "profileName": {
+ "value": "[[parameters('profileName')]"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "Dine-Diagnostics-OpenAi"
+ },
+ {
+ "properties": {
+ "displayName": "Only explicit kinds for Cognitive Services should be allowed ",
+ "mode": "Indexed",
+ "description": "Azure Cognitive Services should only create explicit allowed kinds.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Cognitive Services"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ },
+ "allowedKinds": {
+ "type": "array",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Select the allowed resource kinds to be used with Cognitive Services"
+ },
+ "allowedValues": [
+ "AnomalyDetector",
+ "ComputerVision",
+ "CognitiveServices",
+ "ContentModerator",
+ "CustomVision.Training",
+ "CustomVision.Prediction",
+ "Face",
+ "FormRecognizer",
+ "ImmersiveReader",
+ "LUIS",
+ "Personalizer",
+ "SpeechServices",
+ "TextAnalytics",
+ "TextTranslation",
+ "OpenAI"
+ ],
+ "defaultValue": [
+ "AnomalyDetector",
+ "ComputerVision",
+ "CognitiveServices",
+ "ContentModerator",
+ "CustomVision.Training",
+ "CustomVision.Prediction",
+ "Face",
+ "FormRecognizer",
+ "ImmersiveReader",
+ "LUIS",
+ "Personalizer",
+ "SpeechServices",
+ "TextAnalytics",
+ "TextTranslation",
+ "OpenAI"
+ ]
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.CognitiveServices/accounts"
+ },
+ {
+ "field": "kind",
+ "notIn": "[[parameters('allowedKinds')]"
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-CognitiveServices-Resource-Kinds"
+ }
+ ]
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "name": "[variables('policies').policyDefinitions[copyIndex()].name]",
+ "apiVersion": "2019-09-01",
+ "copy": {
+ "name": "policyDefinitionCopy",
+ "count": "[length(variables('policies').policyDefinitions)]"
+ },
+ "properties": {
+ "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]",
+ "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]",
+ "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]",
+ "policyType": "Custom",
+ "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]",
+ "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]",
+ "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]"
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/policySetDefinitions",
+ "apiVersion": "2021-06-01",
+ "name": "Compliant-OpenAi",
+ "dependsOn": [
+ "policyDefinitionCopy"
+ ],
+ "properties": {
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Cognitive Services"
+ },
+ "displayName": "Enforce secure-by-default Open AI (Cognitive Service) for regulated industries",
+ "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones",
+ "policyDefinitionGroups": [
+ {
+ "name": "Encryption",
+ "category": "Data Protection",
+ "displayName": "Ensure compliance for data encryption, protection, and recovery for Open AI (Cognitive Service)",
+ "description": "Policy to ensure data protection for Open AI (Cognitive Service)"
+ },
+ {
+ "name": "Network",
+ "category": "Network Security",
+ "displayName": "Ensure Open AI (Cognitive Service) is not accessible over the public internet",
+ "description": "Policy to ensure Open AI (Cognitive Service) not accessible over the public internet"
+ },
+ {
+ "name": "Identity",
+ "category": "Identity Management",
+ "displayName": "Ensure usage of centralized identity and auhtorization system for Open AI (Cognitive Service)",
+ "description": "Policy to ensure Open AI (Cognitive Service) is not using local authorization"
+ },
+ {
+ "name": "Logging",
+ "category": "Logging and Threat Detection",
+ "displayName": "Ensure Open AI (Cognitive Service) is logging all events to Log Analytics",
+ "description": "Policy to ensure Open AI (Cognitive Service) is logging all events to Log Analytics workspace"
+ }
+ ],
+ "parameters": {
+ "cognitiveServicesNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveServicesPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveServicesModifyPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "cognitiveServicesModifyDisableLocalAuth": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "cognitiveServicesDisableLocalAuth": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveServicesCustomerStorage": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveServicesCmk": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveServicesManagedIdentity": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveServicesOutboundNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveServicesNetworkAcls": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "cognitiveServicesDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "cognitiveServicesLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "policyDefinitions": [
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]",
+ "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesOutboundNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]",
+ "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesNetworkAcls')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]",
+ "policyDefinitionReferenceId": "Dine-Diagnostics-OpenAi",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('cognitiveServicesLogAnalyticsWorkspaceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418",
+ "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesManagedIdentity')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc",
+ "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesDisableLocalAuth')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d",
+ "policyDefinitionReferenceId": "Deny-Cognitive-Services-CMK",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesCmk')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c",
+ "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesModifyPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515",
+ "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesCustomerStorage')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555",
+ "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesModifyDisableLocalAuth')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca",
+ "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3",
+ "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('cognitiveServicesNetworkAccess')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/enablement/policies/datafactory/Compliant-DataFactoryPolicySetDefinition.json b/enablement/policies/datafactory/Compliant-DataFactoryPolicySetDefinition.json
new file mode 100644
index 0000000..51a2534
--- /dev/null
+++ b/enablement/policies/datafactory/Compliant-DataFactoryPolicySetDefinition.json
@@ -0,0 +1,386 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "topLevelManagementGroupPrefix": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "variables": {
+ "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]",
+ "policies": {
+ "policyDefinitions": [
+ {
+ "properties": {
+ "policyType": "Custom",
+ "mode": "Indexed",
+ "displayName": "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace",
+ "description": "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Data Factory"
+ },
+ "parameters": {
+ "logAnalytics": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Log Analytics workspace",
+ "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
+ "strongType": "omsWorkspace"
+ }
+ },
+ "effect": {
+ "type": "String",
+ "defaultValue": "DeployIfNotExists",
+ "allowedValues": [
+ "DeployIfNotExists",
+ "Disabled"
+ ],
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ }
+ },
+ "profileName": {
+ "type": "String",
+ "defaultValue": "setbypolicy",
+ "metadata": {
+ "displayName": "Profile name",
+ "description": "The diagnostic settings profile name"
+ }
+ },
+ "metricsEnabled": {
+ "type": "String",
+ "defaultValue": "True",
+ "allowedValues": [
+ "True",
+ "False"
+ ],
+ "metadata": {
+ "displayName": "Enable metrics",
+ "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ }
+ }
+ },
+ "policyRule": {
+ "if": {
+ "field": "type",
+ "equals": "Microsoft.DataFactory/factories"
+ },
+ "then": {
+ "effect": "[[parameters('effect')]",
+ "details": {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "name": "[[parameters('profileName')]",
+ "existenceCondition": {
+ "allOf": [
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
+ "equals": "true"
+ },
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
+ "equals": "true"
+ },
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+ "equals": "[[parameters('logAnalytics')]"
+ }
+ ]
+ },
+ "roleDefinitionIds": [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+ ],
+ "deployment": {
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "resourceName": {
+ "type": "String"
+ },
+ "logAnalytics": {
+ "type": "String"
+ },
+ "location": {
+ "type": "String"
+ },
+ "profileName": {
+ "type": "String"
+ },
+ "metricsEnabled": {
+ "type": "String"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings",
+ "apiVersion": "2021-05-01-preview",
+ "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+ "location": "[[parameters('location')]",
+ "dependsOn": [],
+ "properties": {
+ "workspaceId": "[[parameters('logAnalytics')]",
+ "metrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": "[[parameters('metricsEnabled')]",
+ "retentionPolicy": {
+ "days": 0,
+ "enabled": false
+ },
+ "timeGrain": null
+ }
+ ],
+ "logs": [
+ {
+ "categoryGroup": "allLogs",
+ "enabled": true
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {}
+ },
+ "parameters": {
+ "logAnalytics": {
+ "value": "[[parameters('logAnalytics')]"
+ },
+ "location": {
+ "value": "[[field('location')]"
+ },
+ "resourceName": {
+ "value": "[[field('name')]"
+ },
+ "profileName": {
+ "value": "[[parameters('profileName')]"
+ },
+ "metricsEnabled": {
+ "value": "[[parameters('metricsEnabled')]"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "Dine-Diagnostics-DataFactory"
+ }
+ ]
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "name": "[variables('policies').policyDefinitions[copyIndex()].name]",
+ "apiVersion": "2019-09-01",
+ "copy": {
+ "name": "policyDefinitionCopy",
+ "count": "[length(variables('policies').policyDefinitions)]"
+ },
+ "properties": {
+ "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]",
+ "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]",
+ "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]",
+ "policyType": "Custom",
+ "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]",
+ "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]",
+ "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]"
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/policySetDefinitions",
+ "apiVersion": "2021-06-01",
+ "name": "Compliant-DataFactory",
+ "dependsOn": [
+ "policyDefinitionCopy"
+ ],
+ "properties": {
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Data Factory"
+ },
+ "displayName": "Enforce secure-by-default Data Factory for regulated industries",
+ "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones",
+ "policyDefinitionGroups": [
+ {
+ "name": "Encryption",
+ "category": "Data Protection",
+ "displayName": "Ensure compliance for data encryption, protection, and recovery for Data Factory",
+ "description": "Policy to ensure data protection for Data Factory"
+ },
+ {
+ "name": "Network",
+ "category": "Network Security",
+ "displayName": "Ensure Data Factory is not accessible over the public internet",
+ "description": "Policy to ensure Data Factory not accessible over the public internet"
+ },
+ {
+ "name": "Identity",
+ "category": "Identity Management",
+ "displayName": "Ensure usage of centralized identity and auhtorization system for Data Factory",
+ "description": "Policy to ensure Data Factory is not using local authorization"
+ },
+ {
+ "name": "Logging",
+ "category": "Logging and Threat Detection",
+ "displayName": "Ensure Data Factory is logging all events to Log Analytics",
+ "description": "Policy to ensure Data Factory is logging all events to Log Analytics workspace"
+ },
+ {
+ "name": "DevOps",
+ "category": "DevOps Security",
+ "displayName": "Ensure Data Factory is is using Git as source control",
+ "description": "Policy to ensure Data Factory is configured to use Git as source control"
+ }
+ ],
+ "parameters": {
+ "adfSqlIntegration": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "adfModifyPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "adfLinkedServiceKeyVault": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "adfPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "adfCmk": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "adfGit": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "adfManagedIdentity": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "adfDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "adfLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "policyDefinitions": [
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]",
+ "policyDefinitionReferenceId": "Dine-Diagnostics-DataFactory",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('adfDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('adfLogAnalyticsWorkspaceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a",
+ "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('adfManagedIdentity')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307",
+ "policyDefinitionReferenceId": "Deny-Adf-Git",
+ "groupNames": [
+ "DevOps"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('adfGit')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e",
+ "policyDefinitionReferenceId": "Deny-Adf-Cmk",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('adfCmk')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6",
+ "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('adfPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0",
+ "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('adfLinkedServiceKeyVault')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7",
+ "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('adfModifyPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952",
+ "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('adfSqlIntegration')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/enablement/policies/keyvault/Compliant-KeyVaultPolicySetDefinition.json b/enablement/policies/keyvault/Compliant-KeyVaultPolicySetDefinition.json
new file mode 100644
index 0000000..92aeff2
--- /dev/null
+++ b/enablement/policies/keyvault/Compliant-KeyVaultPolicySetDefinition.json
@@ -0,0 +1,790 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "topLevelManagementGroupPrefix": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "variables": {
+ "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]",
+ "policies": {
+ "policyDefinitions": []
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "name": "[variables('policies').policyDefinitions[copyIndex()].name]",
+ "apiVersion": "2019-09-01",
+ "copy": {
+ "name": "policyDefinitionCopy",
+ "count": "[length(variables('policies').policyDefinitions)]"
+ },
+ "properties": {
+ "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]",
+ "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]",
+ "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]",
+ "policyType": "Custom",
+ "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]",
+ "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]",
+ "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]"
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/policySetDefinitions",
+ "apiVersion": "2021-06-01",
+ "name": "Compliant-Key-Vault",
+ "dependsOn": [
+ "policyDefinitionCopy"
+ ],
+ "properties": {
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Key Vault"
+ },
+ "displayName": "Enforce secure-by-default Key Vault for regulated industries",
+ "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones",
+ "policyDefinitionGroups": [
+ {
+ "name": "Encryption",
+ "category": "Data Protection",
+ "displayName": "Ensure compliance for purge protection, soft delete, and key rotation",
+ "description": "Policy to ensure compliance for purge protection, soft delete, and key rotation"
+ },
+ {
+ "name": "Network",
+ "category": "Network Security",
+ "displayName": "Ensure Key Vault is not accessible over the public internet",
+ "description": "Policy to ensure Key Vault is not accessible over the public internet"
+ },
+ {
+ "name": "Identity",
+ "category": "Identity Management",
+ "displayName": "Ensure usage of centralized identity and auhtorization system for Key Vault",
+ "description": "Policy to ensure Key Vault is not using local authorization"
+ },
+ {
+ "name": "Logging",
+ "category": "Logging and Threat Detection",
+ "displayName": "Ensure Key Vault is logging all events to Log Analytics",
+ "description": "Policy to ensure Key Vault is logging all events to Log Analytics workspace"
+ }
+ ],
+ "parameters": {
+ "keyVaultPurgeProtection": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultHmsPurgeProtection": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultArmRbac": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultManagedHsmDisablePublicNetwork": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultSoftDelete": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultDisablePublicNetwork": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultManagedHsmDisablePublicNetworkModify": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "keyVaultDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "keyVaultLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "keyVaultCertificatesPeriod": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "keyVaultCertValidPeriod": {
+ "type": "integer",
+ "defaultValue": 12
+ },
+ "keyVaultKeysExpiration": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultHmsKeysExpiration": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultSecretExpiration": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keysValidPeriod": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "keysValidityInDays": {
+ "type": "integer",
+ "defaultValue": 90
+ },
+ "secretsValidPeriod": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "secretsValidityInDays": {
+ "type": "integer",
+ "defaultValue": 90
+ },
+ "keyVaultFw": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultCertKeyTypes": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultEllipticCurve": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultModifyFw": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "keyVaultCryptographicType": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keysExpiration": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "keysExpirationInDays": {
+ "type": "integer",
+ "defaultValue": 30
+ },
+ "keysActive": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "keysActiveInDays": {
+ "type": "integer",
+ "defaultValue": 90
+ },
+ "keysCurveNames": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "secretsExpiration": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "secretsMoreInDays": {
+ "type": "integer",
+ "defaultValue": 30
+ },
+ "secretsActiveInDays": {
+ "type": "integer",
+ "defaultValue": 90
+ },
+ "secretsActive": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "hsmDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "hsmLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "hsmLogCategories": {
+ "type": "string",
+ "defaultValue": "allLogs"
+ },
+ "keyVaultCertificateLifeTimeAction": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "keyVaultCertificateMaximumPercentageLife": {
+ "type": "integer",
+ "defaultValue": 80
+ },
+ "keyVaultCertificateMinimumDaysBeforeExpiry": {
+ "type": "integer",
+ "defaultValue": 20
+ },
+ "keyVaultCheckMinimumRSAKeySize": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultMinimumRSAKeySizeValue": {
+ "type": "integer",
+ "defaultValue": 2048
+ },
+ "keyVaultManagedHsmCheckMinimumRSAKeySize": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultManagedHsmMinimumRSAKeySizeValue": {
+ "type": "integer",
+ "defaultValue": 2048
+ },
+ "keyVaultCheckMinimumRSACertificateSize": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultMinimumRSACertificateSizeValue": {
+ "type": "integer",
+ "defaultValue": 2048
+ },
+ "keyVaultIntegratedCa": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultIntegratedCaValue": {
+ "type": "array",
+ "defaultValue": [
+ "DigiCert",
+ "GlobalSign"
+ ]
+ },
+ "keyVaultNonIntegratedCa": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultNonIntegratedCaValue": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "keyVaultSecretContentType": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultHsmMinimumDaysBeforeExpiration": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultHsmMinimumDaysBeforeExpirationValue": {
+ "type": "integer",
+ "defaultValue": 90
+ },
+ "keyVaultHmsCurveNames": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultHmsCurveNamesValue": {
+ "type": "array",
+ "defaultValue": [
+ "P-256",
+ "P-256K",
+ "P-384",
+ "P-521"
+ ]
+ },
+ "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue": {
+ "type": "integer",
+ "defaultValue": 90
+ }
+ },
+ "policyDefinitions": [
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427",
+ "policyDefinitionReferenceId": "Deny-Kv-Cert-Expiration-Within-Specific-Number-Days",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]"
+ },
+ "daysToExpire": {
+ "value": "[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e",
+ "policyDefinitionReferenceId": "Deny-Kv-Hsm-Curve-Names",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultHmsCurveNames')]"
+ },
+ "allowedECNames": {
+ "value": "[[parameters('keyVaultHmsCurveNamesValue')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653",
+ "policyDefinitionReferenceId": "Deny-Kv-Hsm-MinimumDays-Before-Expiration",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]"
+ },
+ "minimumDaysBeforeExpiration": {
+ "value": "[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82",
+ "policyDefinitionReferenceId": "Deny-Kv-Integrated-Ca",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultIntegratedCa')]"
+ },
+ "allowedCAs": {
+ "value": "[[parameters('keyVaultIntegratedCaValue')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341",
+ "policyDefinitionReferenceId": "Deny-Kv-Non-Integrated-Ca",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultNonIntegratedCa')]"
+ },
+ "caCommonName": {
+ "value": "[[parameters('keyVaultNonIntegratedCaValue')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3",
+ "policyDefinitionReferenceId": "Deny-Kv-Secret-Content-Type",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultSecretContentType')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b88bfd90-4da5-43eb-936f-ae1481924291",
+ "policyDefinitionReferenceId": "Dine-Diagnostics-Hsm",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('hsmDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('hsmLogAnalyticsWorkspaceId')]"
+ },
+ "categoryGroup": {
+ "value": "[[parameters('hsmLogCategories')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe",
+ "policyDefinitionReferenceId": "Deny-KV-Secret-AvticeDays",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('secretsActive')]"
+ },
+ "maximumValidityInDays": {
+ "value": "[[parameters('secretsActiveInDays')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a",
+ "policyDefinitionReferenceId": "Deny-KV-Secret-MinDays",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('secretsExpiration')]"
+ },
+ "minimumDaysBeforeExpiration": {
+ "value": "[[parameters('secretsMoreInDays')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255",
+ "policyDefinitionReferenceId": "Deny-KV-Curve-Names",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keysCurveNames')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9",
+ "policyDefinitionReferenceId": "Deny-KV-Key-Active",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keysActive')]"
+ },
+ "maximumValidityInDays": {
+ "value": "[[parameters('keysActiveInDays')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146",
+ "policyDefinitionReferenceId": "Deny-KV-Key-Expiration",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keysExpiration')]"
+ },
+ "minimumDaysBeforeExpiration": {
+ "value": "[[parameters('keysExpirationInDays')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb",
+ "policyDefinitionReferenceId": "Deny-KV-Cryptographic-Type",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultCryptographicType')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc",
+ "policyDefinitionReferenceId": "Modify-KV-Fw",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultModifyFw')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf",
+ "policyDefinitionReferenceId": "Deny-KV-Elliptic-Curve",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultEllipticCurve')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f",
+ "policyDefinitionReferenceId": "Deny-KV-Key-Types",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultCertKeyTypes')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490",
+ "policyDefinitionReferenceId": "Deny-KV-Fws",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultFw')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f",
+ "policyDefinitionReferenceId": "Deny-KV-Secrets-ValidityDays",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('secretsValidPeriod')]"
+ },
+ "maximumValidityInDays": {
+ "value": "[[parameters('secretsValidityInDays')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9",
+ "policyDefinitionReferenceId": "Deny-KV-Keys-Expire",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keysValidPeriod')]"
+ },
+ "maximumValidityInDays": {
+ "value": "[[parameters('keysValidityInDays')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37",
+ "policyDefinitionReferenceId": "Deny-KV-Secret-Expire",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultSecretExpiration')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5",
+ "policyDefinitionReferenceId": "Deny-KV-Hms-Key-Expire",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultHmsKeysExpiration')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0",
+ "policyDefinitionReferenceId": "Deny-KV-Key-Expire",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultKeysExpiration')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560",
+ "policyDefinitionReferenceId": "Deny-KV-Cert-Period",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultCertificatesPeriod')]"
+ },
+ "maximumValidityInMonths": {
+ "value": "[[parameters('keyVaultCertValidPeriod')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383",
+ "policyDefinitionReferenceId": "Deny-KV-Hms-PurgeProtection",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultHmsPurgeProtection')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951af2fa-529b-416e-ab6e-066fd85ac459",
+ "policyDefinitionReferenceId": "DINE-KV-Logs",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('keyVaultLogAnalyticsWorkspaceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456",
+ "policyDefinitionReferenceId": "Modify-KV-PublicNetworkAccess",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b",
+ "policyDefinitionReferenceId": "Deny-KV-PublicNetwork",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultDisablePublicNetwork')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d",
+ "policyDefinitionReferenceId": "Deny-KV-Hms-SoftDelete",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultSoftDelete')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f",
+ "policyDefinitionReferenceId": "Deny-KV-Hms-PublicNetwork",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultManagedHsmDisablePublicNetwork')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5",
+ "policyDefinitionReferenceId": "Deny-KV-without-ArmRbac",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultArmRbac')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53",
+ "policyDefinitionReferenceId": "Deny-KV-without-PurgeProtection",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultPurgeProtection')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417",
+ "policyDefinitionReferenceId": "Deny-KV-Cert-without-LifeTimeActionTrigger",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultCertificateLifeTimeAction')]"
+ },
+ "minimumDaysBeforeExpiry": {
+ "value": "[[parameters('keyVaultCertificateMinimumDaysBeforeExpiry')]"
+ },
+ "maximumPercentageLife": {
+ "value": "[[parameters('keyVaultCertificateMaximumPercentageLife')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9",
+ "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinKeySize",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultCheckMinimumRSAKeySize')]"
+ },
+ "minimumRSAKeySize": {
+ "value": "[[parameters('keyVaultMinimumRSAKeySizeValue')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57",
+ "policyDefinitionReferenceId": "Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]"
+ },
+ "minimumRSAKeySize": {
+ "value": "[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0",
+ "policyDefinitionReferenceId": "Deny-KV-RSA-Keys-without-MinCertSize",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('keyVaultCheckMinimumRSACertificateSize')]"
+ },
+ "minimumRSAKeySize": {
+ "value": "[[parameters('keyVaultMinimumRSACertificateSizeValue')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/enablement/policies/storageaccount/Compliant-StoragePolicySetDefinition.json b/enablement/policies/storageaccount/Compliant-StoragePolicySetDefinition.json
new file mode 100644
index 0000000..5f347a1
--- /dev/null
+++ b/enablement/policies/storageaccount/Compliant-StoragePolicySetDefinition.json
@@ -0,0 +1,1694 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "topLevelManagementGroupPrefix": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "variables": {
+ "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]",
+ "policies": {
+ "policyDefinitions": [
+ {
+ "properties": {
+ "displayName": "Storage accounts should use customer-managed key for encryption",
+ "mode": "Indexed",
+ "description": "Secure your blob and file storage account with greater flexibility using customer-managed keys. When you specify a customer-managed key, that key is used to protect and control access to the key that encrypts your data. Using customer-managed keys provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.",
+ "metadata": {
+ "version": "1.0.3",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Audit",
+ "Deny",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "not": {
+ "field": "Microsoft.Storage/storageAccounts/encryption.keySource",
+ "equals": "Microsoft.Keyvault"
+ }
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-Cmk"
+ },
+ {
+ "properties": {
+ "displayName": "Allowed Copy scope should be restricted for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should restrict the allowed copy scope. Enforce this for increased data exfiltration protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ },
+ "allowedCopyScope": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Allowed Copy Scope",
+ "description": "Specify the allowed copy scope."
+ },
+ "allowedValues": [
+ "AAD",
+ "PrivateLink"
+ ],
+ "defaultValue": "AAD"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/allowedCopyScope",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/allowedCopyScope",
+ "notEquals": "[[parameters('allowedCopyScope')]"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-CopyScope"
+ },
+ {
+ "properties": {
+ "displayName": "Encryption for storage services should be enforced for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should enforce encryption for all storage services. Enforce this for increased encryption scope.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "anyOf": [
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled",
+ "notEquals": true
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/encryption.services.file.enabled",
+ "notEquals": true
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/encryption.services.queue.keyType",
+ "notEquals": "Account"
+ }
+ ]
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/encryption.services.table.keyType",
+ "notEquals": "Account"
+ }
+ ]
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-ServicesEncryption"
+ },
+ {
+ "properties": {
+ "displayName": "Local users should be restricted for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should disable local users for features like SFTP. Enforce this for increased data exfiltration protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/isLocalUserEnabled",
+ "notEquals": false
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-LocalUser"
+ },
+ {
+ "properties": {
+ "displayName": "SFTP should be restricted for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should disable SFTP. Enforce this for increased data exfiltration protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/isSftpEnabled",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/isSftpEnabled",
+ "notEquals": false
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-Sftp"
+ },
+ {
+ "properties": {
+ "displayName": "Network ACL bypass option should be restricted for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should restrict the bypass option for service-level network ACLs. Enforce this for increased data exfiltration protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ },
+ "allowedBypassOptions": {
+ "type": "Array",
+ "metadata": {
+ "displayName": "Allowed Bypass Options",
+ "description": "Specifies which options are allowed to bypass the vnet configuration"
+ },
+ "allowedValues": [
+ "None",
+ "Logging",
+ "Metrics",
+ "AzureServices",
+ "Logging, Metrics",
+ "Logging, AzureServices",
+ "Metrics, AzureServices",
+ "Logging, Metrics, AzureServices",
+ "Logging, Metrics, AzureServices"
+ ],
+ "defaultValue": [
+ "Logging",
+ "Metrics",
+ "AzureServices",
+ "Logging, Metrics",
+ "Logging, AzureServices",
+ "Metrics, AzureServices",
+ "Logging, Metrics, AzureServices",
+ "Logging, Metrics, AzureServices"
+ ]
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/networkAcls.bypass",
+ "notIn": "[[parameters('allowedBypassOptions')]"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-NetworkAclsBypass"
+ },
+ {
+ "properties": {
+ "displayName": "Resource Access Rules Tenants should be restricted for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to service from the same AAD tenant. Enforce this for increased data exfiltration protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "count": {
+ "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]"
+ },
+ "greater": 0
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].tenantId",
+ "notEquals": "[[subscription().tenantId]"
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-ResourceAccessRulesTenantId"
+ },
+ {
+ "properties": {
+ "displayName": "Resource Access Rules resource IDs should be restricted for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should restrict the resource access rule for service-level network ACLs to services from a specific Azure subscription. Enforce this for increased data exfiltration protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "count": {
+ "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]"
+ },
+ "greater": 0
+ },
+ {
+ "count": {
+ "field": "Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*]",
+ "where": {
+ "value": "[[split(current('Microsoft.Storage/storageAccounts/networkAcls.resourceAccessRules[*].resourceId'), '/')[2]]",
+ "equals": "*"
+ }
+ },
+ "greater": 0
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-ResourceAccessRulesResourceId"
+ },
+ {
+ "properties": {
+ "displayName": "Virtual network rules should be restricted for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "count": {
+ "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]"
+ },
+ "greater": 0
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-NetworkAclsVirtualNetworkRules"
+ },
+ {
+ "properties": {
+ "displayName": "Public blob access should be restricted for Storage Accounts",
+ "mode": "Indexed",
+ "description": "Azure Storage accounts should restrict blob access to private. Enforce this for increased data exfiltration protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
+ "exists": false
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/allowBlobPublicAccess",
+ "notEquals": false
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-AllowBlobPublicAccess"
+ },
+ {
+ "properties": {
+ "displayName": "Storage Accounts should use a container delete retention policy",
+ "mode": "All",
+ "description": "Enforce container delete retention policies larger than seven days for storage account. Enable this for increased data loss protection",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ },
+ "minContainerDeleteRetentionInDays": {
+ "type": "Integer",
+ "metadata": {
+ "displayName": "Minimum Container Delete Retention in Days",
+ "description": "Specifies the minimum number of days for the container delete retention policy"
+ },
+ "defaultValue": 7
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts/blobServices"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled",
+ "exists": false
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.enabled",
+ "notEquals": true
+ },
+ {
+ "field": "Microsoft.Storage/storageAccounts/blobServices/containerDeleteRetentionPolicy.days",
+ "less": "[[parameters('minContainerDeleteRetentionInDays')]"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-ContainerDeleteRetentionPolicy"
+ },
+ {
+ "properties": {
+ "displayName": "Storage Accounts should restrict CORS rules",
+ "mode": "All",
+ "description": "Deny cors rules for storage account for increased data exfiltration protection and endpoint protection.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "anyOf": [
+ {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts/blobServices"
+ },
+ {
+ "count": {
+ "field": "Microsoft.Storage/storageAccounts/blobServices/cors.corsRules[*]"
+ },
+ "greater": 0
+ }
+ ]
+ },
+ {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts/fileServices"
+ },
+ {
+ "count": {
+ "field": "Microsoft.Storage/storageAccounts/fileServices/cors.corsRules[*]"
+ },
+ "greater": 0
+ }
+ ]
+ },
+ {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts/tableServices"
+ },
+ {
+ "count": {
+ "field": "Microsoft.Storage/storageAccounts/tableServices/cors.corsRules[*]"
+ },
+ "greater": 0
+ }
+ ]
+ },
+ {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Storage/storageAccounts/queueServices"
+ },
+ {
+ "count": {
+ "field": "Microsoft.Storage/storageAccounts/queueServices/cors.corsRules[*]"
+ },
+ "greater": 0
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-Storage-CorsRules"
+ }
+ ]
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "name": "[variables('policies').policyDefinitions[copyIndex()].name]",
+ "apiVersion": "2019-09-01",
+ "copy": {
+ "name": "policyDefinitionCopy",
+ "count": "[length(variables('policies').policyDefinitions)]"
+ },
+ "properties": {
+ "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]",
+ "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]",
+ "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]",
+ "policyType": "Custom",
+ "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]",
+ "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]",
+ "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]"
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/policySetDefinitions",
+ "apiVersion": "2021-06-01",
+ "name": "Compliant-Storage",
+ "dependsOn": [
+ "policyDefinitionCopy"
+ ],
+ "properties": {
+ "metadata": {
+ "version": "1.0.0",
+ "category": "Storage"
+ },
+ "displayName": "Enforce secure-by-default Storage Account for regulated industries",
+ "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones",
+ "policyDefinitionGroups": [
+ {
+ "name": "Encryption",
+ "category": "Data Protection",
+ "displayName": "Ensure Storage Account is using secure encryption",
+ "description": "Policy to ensure Storage Account is using secure encryption"
+ },
+ {
+ "name": "Network",
+ "category": "Network Security",
+ "displayName": "Ensure Storage Account is not accessible over the public internet",
+ "description": "Policy to ensure Storage Account is not accessible over the public internet"
+ },
+ {
+ "name": "Identity",
+ "category": "Identity Management",
+ "displayName": "Ensure usage of centralized identity and auhtorization system for Storage Account",
+ "description": "Policy to ensure Storage Account is not using local authorization"
+ },
+ {
+ "name": "Logging",
+ "category": "Logging and Threat Detection",
+ "displayName": "Ensure Storage Account is logging all events to Log Analytics",
+ "description": "Policy to ensure Storage Account is logging all events to Log Analytics workspace"
+ }
+ ],
+ "parameters": {
+ "storageKeysExipiration": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "modifyStorageFileSyncPublicEndpoint": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "storageFileSyncPublicEndpoint": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageFileSyncDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "storageFileSyncLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageAccountNetworkRules": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageTableDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "storageTableLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageAccountRestrictNetworkRules": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageThreatProtection": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "storageClassicToArm": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountSecureTransfer": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsInfraEncryption": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsPublicAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "storageAccountsLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageAccountsCmk": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageQueueDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "storageQueueLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageTableCmk": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountSharedKey": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsCrossTenant": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsModifyDisablePublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "storageAccountsDisablePublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsDoubleEncryption": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageQueueCmk": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsTls": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsEncryptionCmk": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsCopyScope": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAccountsAllowedCopyScope": {
+ "type": "string",
+ "defaultValue": "AAD"
+ },
+ "storageServicesEncryption": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageLocalUser": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageSftp": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageNetworkAclsBypass": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAllowedNetworkAclsBypass": {
+ "type": "array",
+ "defaultValue": [
+ "None"
+ ]
+ },
+ "storageResourceAccessRulesTenantId": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageResourceAccessRulesResourceId": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageNetworkAclsVirtualNetworkRules": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageAllowBlobPublicAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageContainerDeleteRetentionPolicy": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageMinContainerDeleteRetentionInDays": {
+ "type": "Integer",
+ "defaultValue": 7
+ },
+ "storageCorsRules": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "storageBlobDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "storageBlobLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageBlobPrivateDnsZone": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageBlobPrivateDnsZoneId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageSecondaryBlobPrivateDnsZone": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageSecondaryBlobPrivateDnsZoneId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageDfsPrivateDnsZone": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageDfsPrivateDnsZoneId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageSecondaryDfsPrivateDnsZone": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageSecondaryDfsPrivateDnsZoneId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageQueuePrivateDnsZone": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageQueuePrivateDnsZoneId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageSecondaryQueuePrivateDnsZone": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageSecondaryQueuePrivateDnsZoneId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageWebPrivateDnsZone": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageWebPrivateDnsZoneId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "storageSecondaryWebPrivateDnsZone": {
+ "type": "string",
+ "defaultValue": "Disabled"
+ },
+ "storageSecondaryWebPrivateDnsZoneId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "modifyStorageAccountPublicEndpoint": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "diagFileMetrics": {
+ "type": "boolean",
+ "defaultValue": false
+ },
+ "diagBlobMetrics": {
+ "type": "boolean",
+ "defaultValue": false
+ },
+ "diagQueueMetrics": {
+ "type": "boolean",
+ "defaultValue": false
+ },
+ "diagTableMetrics": {
+ "type": "boolean",
+ "defaultValue": false
+ }
+ },
+ "policyDefinitions": [
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-Cmk",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsCmk')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-CopyScope",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsCopyScope')]"
+ },
+ "allowedCopyScope": {
+ "value": "[[parameters('storageAccountsAllowedCopyScope')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageServicesEncryption')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[3].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-LocalUser",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageLocalUser')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[4].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-Sftp",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageSftp')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[5].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageNetworkAclsBypass')]"
+ },
+ "allowedBypassOptions": {
+ "value": "[[parameters('storageAllowedNetworkAclsBypass')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[6].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageResourceAccessRulesTenantId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[7].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageResourceAccessRulesResourceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[8].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageNetworkAclsVirtualNetworkRules')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[9].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-AllowBlobPublicAccess",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAllowBlobPublicAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[10].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageContainerDeleteRetentionPolicy')]"
+ },
+ "minContainerDeleteRetentionInDays": {
+ "value": "[[parameters('storageMinContainerDeleteRetentionInDays')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[11].name)]",
+ "policyDefinitionReferenceId": "Deny-Storage-CorsRules",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageCorsRules')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb",
+ "policyDefinitionReferenceId": "Dine-Diagnostics-Storage-blob",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageBlobDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('storageBlobLogAnalyticsWorkspaceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8",
+ "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsEncryptionCmk')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0",
+ "policyDefinitionReferenceId": "Deny-Storage-Tls",
+ "groupNames": [
+ "Network",
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsTls')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef",
+ "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageQueueCmk')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d",
+ "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsDoubleEncryption')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693",
+ "policyDefinitionReferenceId": "Deny-Storage-Account-PublicEndpoint",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsDisablePublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d",
+ "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312",
+ "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant",
+ "groupNames": [
+ "Encryption",
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsCrossTenant')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54",
+ "policyDefinitionReferenceId": "Deny-Storage-Shared-Key",
+ "groupNames": [
+ "Encryption",
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountSharedKey')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688",
+ "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageTableCmk')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45",
+ "policyDefinitionReferenceId": "Dine-Storage-Queue-Diagnostics",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageQueueDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('storageQueueLogAnalyticsWorkspaceId')]"
+ },
+ "metricsEnabled": {
+ "value": "[[parameters('diagQueueMetrics')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0",
+ "policyDefinitionReferenceId": "Dine-Storage-Blob-PrivateDns",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageBlobPrivateDnsZone')]"
+ },
+ "privateDnsZoneId": {
+ "value": "[[parameters('storageBlobPrivateDnsZoneId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582",
+ "policyDefinitionReferenceId": "Dine-Storage-SecondaryBlob-PrivateDns",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageSecondaryBlobPrivateDnsZone')]"
+ },
+ "privateDnsZoneId": {
+ "value": "[[parameters('storageSecondaryBlobPrivateDnsZoneId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca",
+ "policyDefinitionReferenceId": "Dine-Storage-Dfs-PrivateDns",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageDfsPrivateDnsZone')]"
+ },
+ "privateDnsZoneId": {
+ "value": "[[parameters('storageDfsPrivateDnsZoneId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671",
+ "policyDefinitionReferenceId": "Dine-Storage-SecondaryDfs-PrivateDns",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageSecondaryDfsPrivateDnsZone')]"
+ },
+ "privateDnsZoneId": {
+ "value": "[[parameters('storageSecondaryDfsPrivateDnsZoneId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1",
+ "policyDefinitionReferenceId": "Dine-Storage-Queue-PrivateDns",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageQueuePrivateDnsZone')]"
+ },
+ "privateDnsZoneId": {
+ "value": "[[parameters('storageQueuePrivateDnsZoneId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6",
+ "policyDefinitionReferenceId": "Dine-Storage-SecondaryQueue-PrivateDns",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageSecondaryQueuePrivateDnsZone')]"
+ },
+ "privateDnsZoneId": {
+ "value": "[[parameters('storageSecondaryQueuePrivateDnsZoneId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218",
+ "policyDefinitionReferenceId": "Dine-Storage-Web-PrivateDns",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageWebPrivateDnsZone')]"
+ },
+ "privateDnsZoneId": {
+ "value": "[[parameters('storageWebPrivateDnsZoneId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c",
+ "policyDefinitionReferenceId": "Dine-Storage-SecondaryWeb-PrivateDns",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageSecondaryWebPrivateDnsZone')]"
+ },
+ "privateDnsZoneId": {
+ "value": "[[parameters('storageSecondaryWebPrivateDnsZoneId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef",
+ "policyDefinitionReferenceId": "Dine-Storage-Accounts-Diagnostics",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('storageAccountsLogAnalyticsWorkspaceId')]"
+ },
+ "metricsEnabled": {
+ "value": "[[parameters('diagBlobMetrics')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751",
+ "policyDefinitionReferenceId": "Deny-Storage-Public-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsPublicAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a",
+ "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountsInfraEncryption')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9",
+ "policyDefinitionReferenceId": "Deny-Storage-SecureTransfer",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountSecureTransfer')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606",
+ "policyDefinitionReferenceId": "Deny-Storage-Classic",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageClassicToArm')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c",
+ "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageThreatProtection')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c",
+ "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountRestrictNetworkRules')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0",
+ "policyDefinitionReferenceId": "Dine-Storage-Table-Diagnostics",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageTableDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('storageTableLogAnalyticsWorkspaceId')]"
+ },
+ "metricsEnabled": {
+ "value": "[[parameters('diagTableMetrics')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f",
+ "policyDefinitionReferenceId": "Deny-Storage-NetworkRules",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageAccountNetworkRules')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96",
+ "policyDefinitionReferenceId": "Dine-Storage-FileSync-Diagnostics",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageFileSyncDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('storageFileSyncLogAnalyticsWorkspaceId')]"
+ },
+ "metricsEnabled": {
+ "value": "[[parameters('diagFileMetrics')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7",
+ "policyDefinitionReferenceId": "Deny-Storage-FileSync-PublicEndpoint",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageFileSyncPublicEndpoint')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b",
+ "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('modifyStorageAccountPublicEndpoint')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b",
+ "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('modifyStorageFileSyncPublicEndpoint')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537",
+ "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('storageKeysExipiration')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file
diff --git a/enablement/policies/webapp/Compliant-AppServicesPolicySetDefinition.json b/enablement/policies/webapp/Compliant-AppServicesPolicySetDefinition.json
new file mode 100644
index 0000000..724979f
--- /dev/null
+++ b/enablement/policies/webapp/Compliant-AppServicesPolicySetDefinition.json
@@ -0,0 +1,1693 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "topLevelManagementGroupPrefix": {
+ "type": "string",
+ "defaultValue": ""
+ }
+ },
+ "variables": {
+ "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]",
+ "policies": {
+ "policyDefinitions": [
+ {
+ "properties": {
+ "displayName": "API App should only be accessible over HTTPS",
+ "policyType": "Custom",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "App Service"
+ },
+ "mode": "Indexed",
+ "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Audit",
+ "Disabled",
+ "Deny"
+ ],
+ "defaultValue": "Deny"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/sites"
+ },
+ {
+ "field": "kind",
+ "like": "*api"
+ },
+ {
+ "field": "Microsoft.Web/sites/httpsOnly",
+ "equals": "false"
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-ApiApp-Https"
+ },
+ {
+ "properties": {
+ "policyType": "Custom",
+ "mode": "Indexed",
+ "displayName": "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace",
+ "description": "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
+ "metadata": {
+ "version": "1.1.0",
+ "category": "App Service"
+ },
+ "parameters": {
+ "logAnalytics": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Log Analytics workspace",
+ "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
+ "strongType": "omsWorkspace"
+ }
+ },
+ "effect": {
+ "type": "String",
+ "defaultValue": "DeployIfNotExists",
+ "allowedValues": [
+ "DeployIfNotExists",
+ "Disabled"
+ ],
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ }
+ },
+ "profileName": {
+ "type": "String",
+ "defaultValue": "setbypolicy",
+ "metadata": {
+ "displayName": "Profile name",
+ "description": "The diagnostic settings profile name"
+ }
+ },
+ "metricsEnabled": {
+ "type": "String",
+ "defaultValue": "False",
+ "allowedValues": [
+ "True",
+ "False"
+ ],
+ "metadata": {
+ "displayName": "Enable metrics",
+ "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ }
+ },
+ "logsEnabled": {
+ "type": "String",
+ "defaultValue": "True",
+ "allowedValues": [
+ "True",
+ "False"
+ ],
+ "metadata": {
+ "displayName": "Enable logs",
+ "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ }
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/sites"
+ },
+ {
+ "anyOf": [
+ {
+ "value": "[[field('kind')]",
+ "contains": "functionapp"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]",
+ "details": {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "name": "[[parameters('profileName')]",
+ "evaluationDelay": "AfterProvisioning",
+ "existenceCondition": {
+ "allOf": [
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+ "equals": "[[parameters('logAnalytics')]"
+ }
+ ]
+ },
+ "roleDefinitionIds": [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+ ],
+ "deployment": {
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "resourceName": {
+ "type": "String"
+ },
+ "logAnalytics": {
+ "type": "String"
+ },
+ "location": {
+ "type": "String"
+ },
+ "profileName": {
+ "type": "String"
+ },
+ "metricsEnabled": {
+ "type": "String"
+ },
+ "logsEnabled": {
+ "type": "String"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Web/sites/providers/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+ "location": "[[parameters('location')]",
+ "dependsOn": [],
+ "properties": {
+ "workspaceId": "[[parameters('logAnalytics')]",
+ "metrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": "[[parameters('metricsEnabled')]",
+ "retentionPolicy": {
+ "days": 0,
+ "enabled": false
+ },
+ "timeGrain": null
+ }
+ ],
+ "logs": [
+ {
+ "category": "FunctionAppLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {}
+ },
+ "parameters": {
+ "logAnalytics": {
+ "value": "[[parameters('logAnalytics')]"
+ },
+ "location": {
+ "value": "[[field('location')]"
+ },
+ "resourceName": {
+ "value": "[[field('name')]"
+ },
+ "profileName": {
+ "value": "[[parameters('profileName')]"
+ },
+ "metricsEnabled": {
+ "value": "[[parameters('metricsEnabled')]"
+ },
+ "logsEnabled": {
+ "value": "[[parameters('logsEnabled')]"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "Deploy-FunctionApp-Diagnostics"
+ },
+ {
+ "properties": {
+ "policyType": "Custom",
+ "mode": "Indexed",
+ "displayName": "Deploy Diagnostic Settings for App Service Web App to Log Analytics workspace",
+ "description": "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
+ "metadata": {
+ "version": "1.2.0",
+ "category": "App Service Web App"
+ },
+ "parameters": {
+ "logAnalytics": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Log Analytics workspace",
+ "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
+ "strongType": "omsWorkspace"
+ }
+ },
+ "effect": {
+ "type": "String",
+ "defaultValue": "DeployIfNotExists",
+ "allowedValues": [
+ "DeployIfNotExists",
+ "Disabled"
+ ],
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ }
+ },
+ "profileName": {
+ "type": "String",
+ "defaultValue": "setbypolicy",
+ "metadata": {
+ "displayName": "Profile name",
+ "description": "The diagnostic settings profile name"
+ }
+ },
+ "metricsEnabled": {
+ "type": "String",
+ "defaultValue": "True",
+ "allowedValues": [
+ "True",
+ "False"
+ ],
+ "metadata": {
+ "displayName": "Enable metrics",
+ "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ }
+ },
+ "logsEnabled": {
+ "type": "String",
+ "defaultValue": "True",
+ "allowedValues": [
+ "True",
+ "False"
+ ],
+ "metadata": {
+ "displayName": "Enable logs",
+ "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ }
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/sites"
+ },
+ {
+ "value": "[[field('kind')]",
+ "notContains": "functionapp"
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]",
+ "details": {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "name": "[[parameters('profileName')]",
+ "existenceCondition": {
+ "allOf": [
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
+ "equals": "[[parameters('logsEnabled')]"
+ },
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
+ "equals": "[[parameters('metricsEnabled')]"
+ },
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+ "equals": "[[parameters('logAnalytics')]"
+ }
+ ]
+ },
+ "roleDefinitionIds": [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+ ],
+ "deployment": {
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "resourceName": {
+ "type": "String"
+ },
+ "logAnalytics": {
+ "type": "String"
+ },
+ "location": {
+ "type": "String"
+ },
+ "profileName": {
+ "type": "String"
+ },
+ "metricsEnabled": {
+ "type": "String"
+ },
+ "logsEnabled": {
+ "type": "String"
+ },
+ "serverFarmId": {
+ "type": "String"
+ }
+ },
+ "variables": {
+ "logs": {
+ "premiumTierLogs": [
+ {
+ "category": "AppServiceAntivirusScanAuditLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceHTTPLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceConsoleLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceAppLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceFileAuditLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceAuditLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceIPSecAuditLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServicePlatformLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ }
+ ],
+ "otherTierLogs": [
+ {
+ "category": "AppServiceHTTPLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceConsoleLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceAppLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceAuditLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServiceIPSecAuditLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ },
+ {
+ "category": "AppServicePlatformLogs",
+ "enabled": "[[parameters('logsEnabled')]"
+ }
+ ]
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Web/sites/providers/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+ "location": "[[parameters('location')]",
+ "dependsOn": [],
+ "properties": {
+ "workspaceId": "[[parameters('logAnalytics')]",
+ "metrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": "[[parameters('metricsEnabled')]",
+ "retentionPolicy": {
+ "days": 0,
+ "enabled": false
+ },
+ "timeGrain": null
+ }
+ ],
+ "logs": "[[if(startsWith(reference(parameters('serverFarmId'), '2021-03-01', 'Full').sku.tier, 'Premium'), variables('logs').premiumTierLogs, variables('logs').otherTierLogs)]"
+ }
+ }
+ ],
+ "outputs": {
+ "policy": {
+ "type": "string",
+ "value": "[[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]"
+ }
+ }
+ },
+ "parameters": {
+ "logAnalytics": {
+ "value": "[[parameters('logAnalytics')]"
+ },
+ "location": {
+ "value": "[[field('location')]"
+ },
+ "resourceName": {
+ "value": "[[field('name')]"
+ },
+ "profileName": {
+ "value": "[[parameters('profileName')]"
+ },
+ "metricsEnabled": {
+ "value": "[[parameters('metricsEnabled')]"
+ },
+ "logsEnabled": {
+ "value": "[[parameters('logsEnabled')]"
+ },
+ "serverFarmId": {
+ "value": "[[field('Microsoft.Web/sites/serverFarmId')]"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "Dine-AppService-Diagnostics"
+ },
+ {
+ "properties": {
+ "displayName": "Logic apps should disable public network access",
+ "mode": "Indexed",
+ "description": "Disabling public network access improves security by ensuring that the Logic App is not exposed on the public internet. Creating private endpoints can limit exposure of a Logic App. Learn more at: https://aka.ms/app-service-private-endpoint.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "App Service"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Audit",
+ "Disabled",
+ "Deny"
+ ],
+ "defaultValue": "Audit"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/sites"
+ },
+ {
+ "field": "kind",
+ "contains": "workflowapp"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Web/sites/publicNetworkAccess",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Web/sites/publicNetworkAccess",
+ "notEquals": "Disabled"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-LogicApp-Public-Network"
+ },
+ {
+ "properties": {
+ "displayName": "Logic app should only be accessible over HTTPS",
+ "mode": "Indexed",
+ "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.",
+ "metadata": {
+ "version": "2.0.0",
+ "category": "App Service"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Audit",
+ "Disabled",
+ "Deny"
+ ],
+ "defaultValue": "Audit"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/sites"
+ },
+ {
+ "field": "kind",
+ "contains": "workflowapp"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Web/sites/httpsOnly",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Web/sites/httpsOnly",
+ "equals": "false"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-LogicApps-Without-Https"
+ },
+ {
+ "properties": {
+ "displayName": "Configure Logic apps to use the latest TLS version",
+ "mode": "Indexed",
+ "description": "Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.",
+ "metadata": {
+ "version": "1.0.0",
+ "category": "App Service"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "DeployIfNotExists",
+ "Disabled"
+ ],
+ "defaultValue": "DeployIfNotExists"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/sites"
+ },
+ {
+ "field": "kind",
+ "contains": "workflowapp"
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]",
+ "details": {
+ "type": "Microsoft.Web/sites/config",
+ "name": "web",
+ "existenceCondition": {
+ "field": "Microsoft.Web/sites/config/minTlsVersion",
+ "equals": "1.2"
+ },
+ "roleDefinitionIds": [
+ "/providers/microsoft.authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772"
+ ],
+ "deployment": {
+ "properties": {
+ "mode": "incremental",
+ "parameters": {
+ "siteName": {
+ "value": "[[field('name')]"
+ }
+ },
+ "template": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "siteName": {
+ "type": "string"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Web/sites/config",
+ "apiVersion": "2021-02-01",
+ "name": "[[concat(parameters('siteName'), '/web')]",
+ "properties": {
+ "minTlsVersion": "1.2"
+ }
+ }
+ ],
+ "outputs": {}
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "Dine-LogicApp-TLS"
+ },
+ {
+ "properties": {
+ "policyType": "Custom",
+ "mode": "Indexed",
+ "displayName": "Deploy Diagnostic Settings for Azure Logic App to Log Analytics workspace",
+ "description": "Deploys the diagnostic settings for Azure Logic App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
+ "metadata": {
+ "version": "1.1.0",
+ "category": "App Service"
+ },
+ "parameters": {
+ "logAnalytics": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Log Analytics workspace",
+ "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
+ "strongType": "omsWorkspace"
+ }
+ },
+ "effect": {
+ "type": "String",
+ "defaultValue": "DeployIfNotExists",
+ "allowedValues": [
+ "DeployIfNotExists",
+ "Disabled"
+ ],
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ }
+ },
+ "profileName": {
+ "type": "String",
+ "defaultValue": "la-setbypolicy",
+ "metadata": {
+ "displayName": "Profile name",
+ "description": "The diagnostic settings profile name"
+ }
+ },
+ "metricsEnabled": {
+ "type": "String",
+ "defaultValue": "False",
+ "allowedValues": [
+ "True",
+ "False"
+ ],
+ "metadata": {
+ "displayName": "Enable metrics",
+ "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ }
+ },
+ "logsEnabled": {
+ "type": "String",
+ "defaultValue": "True",
+ "allowedValues": [
+ "True",
+ "False"
+ ],
+ "metadata": {
+ "displayName": "Enable logs",
+ "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ }
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/sites"
+ },
+ {
+ "anyOf": [
+ {
+ "value": "[[field('kind')]",
+ "contains": "workflowapp"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]",
+ "details": {
+ "type": "Microsoft.Insights/diagnosticSettings",
+ "name": "[[parameters('profileName')]",
+ "evaluationDelay": "AfterProvisioning",
+ "existenceCondition": {
+ "allOf": [
+ {
+ "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+ "equals": "[[parameters('logAnalytics')]"
+ }
+ ]
+ },
+ "roleDefinitionIds": [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+ ],
+ "deployment": {
+ "properties": {
+ "mode": "Incremental",
+ "template": {
+ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "resourceName": {
+ "type": "String"
+ },
+ "logAnalytics": {
+ "type": "String"
+ },
+ "location": {
+ "type": "String"
+ },
+ "profileName": {
+ "type": "String"
+ },
+ "metricsEnabled": {
+ "type": "String"
+ },
+ "logsEnabled": {
+ "type": "String"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Web/sites/providers/diagnosticSettings",
+ "apiVersion": "2017-05-01-preview",
+ "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+ "location": "[[parameters('location')]",
+ "dependsOn": [],
+ "properties": {
+ "workspaceId": "[[parameters('logAnalytics')]",
+ "metrics": [
+ {
+ "category": "AllMetrics",
+ "enabled": "[[parameters('metricsEnabled')]",
+ "retentionPolicy": {
+ "days": 0,
+ "enabled": false
+ },
+ "timeGrain": null
+ }
+ ],
+ "logs": [
+ {
+ "category": "WorkflowRuntime",
+ "enabled": "[[parameters('logsEnabled')]"
+ }
+ ]
+ }
+ }
+ ],
+ "outputs": {}
+ },
+ "parameters": {
+ "logAnalytics": {
+ "value": "[[parameters('logAnalytics')]"
+ },
+ "location": {
+ "value": "[[field('location')]"
+ },
+ "resourceName": {
+ "value": "[[field('name')]"
+ },
+ "profileName": {
+ "value": "[[parameters('profileName')]"
+ },
+ "metricsEnabled": {
+ "value": "[[parameters('metricsEnabled')]"
+ },
+ "logsEnabled": {
+ "value": "[[parameters('logsEnabled')]"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "name": "Deploy-LogicApp-Diagnostics"
+ },
+ {
+ "properties": {
+ "displayName": "App Service certificates must be stored in Key Vault",
+ "mode": "Indexed",
+ "description": "App Service (including Logic apps and Function apps) must use certificates stored in Key Vault",
+ "metadata": {
+ "version": "2.0.0",
+ "category": "App Service"
+ },
+ "parameters": {
+ "effect": {
+ "type": "String",
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable the execution of the policy"
+ },
+ "allowedValues": [
+ "Audit",
+ "Disabled",
+ "Deny"
+ ],
+ "defaultValue": "Audit"
+ }
+ },
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Web/certificates"
+ },
+ {
+ "anyOf": [
+ {
+ "field": "Microsoft.Web/certificates/keyVaultId",
+ "exists": "false"
+ },
+ {
+ "field": "Microsoft.Web/certificates/keyVaultSecretName",
+ "exists": "false"
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[[parameters('effect')]"
+ }
+ }
+ },
+ "name": "Deny-AppService-without-BYOC"
+ }
+ ]
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "name": "[variables('policies').policyDefinitions[copyIndex()].name]",
+ "apiVersion": "2019-09-01",
+ "copy": {
+ "name": "policyDefinitionCopy",
+ "count": "[length(variables('policies').policyDefinitions)]"
+ },
+ "properties": {
+ "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]",
+ "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]",
+ "mode": "[variables('policies').policyDefinitions[copyIndex()].properties.mode]",
+ "policyType": "Custom",
+ "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]",
+ "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]",
+ "metadata": "[variables('policies').policyDefinitions[copyIndex()].properties.metadata]"
+ }
+ },
+ {
+ "type": "Microsoft.Authorization/policySetDefinitions",
+ "apiVersion": "2021-06-01",
+ "name": "Compliant-App-Service",
+ "dependsOn": [
+ "policyDefinitionCopy"
+ ],
+ "properties": {
+ "metadata": {
+ "version": "1.0.0",
+ "category": "App Service"
+ },
+ "displayName": "Enforce secure-by-default App Service for regulated industries",
+ "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones",
+ "policyDefinitionGroups": [
+ {
+ "name": "Encryption",
+ "category": "Data Protection",
+ "displayName": "Ensure App Service is using secure encryption",
+ "description": "Policy to ensure App Service is using secure encryption"
+ },
+ {
+ "name": "Network",
+ "category": "Network Security",
+ "displayName": "Ensure App Service is not accessible over the public internet",
+ "description": "Policy to ensure App Service is not accessible over the public internet"
+ },
+ {
+ "name": "Identity",
+ "category": "Identity Management",
+ "displayName": "Ensure usage of centralized identity and auhtorization system for App Service",
+ "description": "Policy to ensure App Service is not using local authorization"
+ },
+ {
+ "name": "Logging",
+ "category": "Logging and Threat Detection",
+ "displayName": "Ensure App Service is logging all events to Log Analytics",
+ "description": "Policy to ensure App Service is logging all events to Log Analytics workspace"
+ },
+ {
+ "name": "Posture",
+ "category": "Posture and Vulnerability Management",
+ "displayName": "",
+ "description": ""
+ }
+ ],
+ "parameters": {
+ "appServiceAppSlotTls": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "appServiceAppHttps": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "functionAppDisablePublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "functionAppsDisablePublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceDisablePublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "functionAppTls": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "functionAppDebugging": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "appServiceDisableLocalAuth": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "appEnvDisablePublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceAppsModifyPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "appServiceAppModifyPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "appServiceSkuPl": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceDisableLocalAuthFtp": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "appServiceRouting": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "functionAppSlotsHttps": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceScmAuth": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "functionAppHttps": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appSlotsPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "functionAppPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceTls": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceRfc": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceAppsRfc": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceAppSlotsHttps": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceAppsVnetRouting": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceAppsHttps": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceEnvLatestVersion": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "appServiceAppSlotsRemoteDebugging": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "appServiceAppsRemoteDebugging": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "appServiceAppsTls": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "functionAppSlotsModifyPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "functionAppSlotsModifyHttps": {
+ "type": "string",
+ "defaultValue": "Modify"
+ },
+ "functionAppSlotsTls": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "apiAppHttps": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "functionDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "functionLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "appServiceDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "appServiceLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "logicAppPublicNetworkAccess": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "logicAppHttps": {
+ "type": "string",
+ "defaultValue": "Deny"
+ },
+ "logicAppTls": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "logicAppDiagnostics": {
+ "type": "string",
+ "defaultValue": "DeployIfNotExists"
+ },
+ "logicAppLogAnalyticsWorkspaceId": {
+ "type": "string",
+ "defaultValue": ""
+ },
+ "appServiceByoc": {
+ "type": "string",
+ "defaultValue": "Deny"
+ }
+ },
+ "policyDefinitions": [
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[2].name)]",
+ "policyDefinitionReferenceId": "Dine-AppService-Diagnostics",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('appServiceLogAnalyticsWorkspaceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[1].name)]",
+ "policyDefinitionReferenceId": "Dine-Function-Diagnostics",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('functionLogAnalyticsWorkspaceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[0].name)]",
+ "policyDefinitionReferenceId": "Deny-Api-Apps-Https",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('apiAppHttps')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[3].name)]",
+ "policyDefinitionReferenceId": "Deny-LogicApp-Public-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('logicAppPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[4].name)]",
+ "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('logicAppHttps')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[5].name)]",
+ "policyDefinitionReferenceId": "Dine-LogicApp-Tls",
+ "groupNames": [
+ "Network",
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('logicAppTls')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[6].name)]",
+ "policyDefinitionReferenceId": "Dine-LogicApp-Diagnostics",
+ "groupNames": [
+ "Logging"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('logicAppDiagnostics')]"
+ },
+ "logAnalytics": {
+ "value": "[[parameters('logicAppLogAnalyticsWorkspaceId')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/', variables('policies').policyDefinitions[7].name)]",
+ "policyDefinitionReferenceId": "Deny-AppService-Byoc",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceByoc')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063",
+ "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls",
+ "groupNames": [
+ "Network",
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppSlotsTls')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b",
+ "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppSlotsModifyHttps')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c",
+ "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppSlotsModifyPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d",
+ "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls",
+ "groupNames": [
+ "Network",
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppsTls')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b",
+ "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppsRemoteDebugging')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c",
+ "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppsModifyPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee",
+ "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppModifyPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd",
+ "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppSlotsRemoteDebugging')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a",
+ "policyDefinitionReferenceId": "Deny-AppService-Latest-Version",
+ "groupNames": [
+ "Posture"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceEnvLatestVersion')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d",
+ "policyDefinitionReferenceId": "Deny-AppService-Apps-Https",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppsHttps')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5",
+ "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppsVnetRouting')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc",
+ "policyDefinitionReferenceId": "Deny-AppService-Slots-Https",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppSlotsHttps')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1",
+ "policyDefinitionReferenceId": "Deny-AppService-Rfc",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceRfc')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222",
+ "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppsRfc')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50",
+ "policyDefinitionReferenceId": "Deny-AppService-Tls",
+ "groupNames": [
+ "Network",
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceTls')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127",
+ "policyDefinitionReferenceId": "Deny-FuncApp-Public",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb",
+ "policyDefinitionReferenceId": "DINE-FuncApp-Debugging",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppDebugging')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622",
+ "policyDefinitionReferenceId": "Deny-AppSlots-Public",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appSlotsPublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab",
+ "policyDefinitionReferenceId": "Deny-FunctionApp-Https",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppHttps')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79",
+ "policyDefinitionReferenceId": "DINE-AppService-ScmAuth",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceScmAuth')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71",
+ "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppSlotsHttps')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4",
+ "policyDefinitionReferenceId": "Deny-AppServ-Routing",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceRouting')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5",
+ "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceDisableLocalAuthFtp')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5",
+ "policyDefinitionReferenceId": "Deny-AppServ-SkuPl",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceSkuPl')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3",
+ "policyDefinitionReferenceId": "Deny-AppEnv-Public",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appEnvDisablePublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae",
+ "policyDefinitionReferenceId": "DINE-AppService-LocalAuth",
+ "groupNames": [
+ "Identity"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceDisableLocalAuth')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b",
+ "policyDefinitionReferenceId": "DINE-AppService-Debugging",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppDebugging')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df",
+ "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls",
+ "groupNames": [
+ "Encryption",
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppSlotTls')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63",
+ "policyDefinitionReferenceId": "Modify-AppService-Https",
+ "groupNames": [
+ "Encryption"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceAppHttps')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2",
+ "policyDefinitionReferenceId": "Deny-FunctionApp-Public",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppDisablePublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2",
+ "policyDefinitionReferenceId": "Deny-FunctionApps-Public",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppsDisablePublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba",
+ "policyDefinitionReferenceId": "Deny-AppService-Public",
+ "groupNames": [
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('appServiceDisablePublicNetworkAccess')]"
+ }
+ }
+ },
+ {
+ "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0",
+ "policyDefinitionReferenceId": "Deny-FunctionApp-Tls",
+ "groupNames": [
+ "Encryption",
+ "Network"
+ ],
+ "parameters": {
+ "effect": {
+ "value": "[[parameters('functionAppTls')]"
+ }
+ }
+ }
+ ]
+ }
+ }
+ ]
+}
\ No newline at end of file