Here are a list of suggested policies you can apply in your environment in order to help in your governance approach.
Allowed virtual machine size SKUs: This policy enables you to specify a set of virtual machine size SKUs that your organization can deploy.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Allowed locations: This policy enables you to restrict the locations your organization can specify when deploying resources. Use to enforce your geo-compliance requirements. Excludes resource groups, Microsoft.AzureActiveDirectory/b2cDirectories, and resources that use the 'global' region.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Allowed locations for resource groups: This policy enables you to restrict the locations your organization can create resource groups in. Use to enforce your geo-compliance requirements.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Allowed resource types: This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Audit resource location matches resource group location: Audit that the resource location matches its resource group location
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Audit usage of custom RBAC rules: Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Custom subscription owner roles should not exist: This policy ensures that no custom subscription owner roles exist.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Not allowed resource types: Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
✔️ Please note that if you decides to enable the Azure Security Center built-in initiatives, be on the lookout for overlapping conflicts. See here the Azure Policy built-in definitions for Azure Security Center
A maximum of 3 owners should be designated for your subscription: It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
MFA should be enabled on accounts with owner permissions on your subscription: Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Subscriptions should have a contact email address for security issues: To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
There should be more than one owner assigned to your subscription: It is recommended to designate more than one subscription owner in order to have administrator access redundancy.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Require a tag on resource groups: Enforces existence of a tag on resource groups.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
Inherit a tag from the resource group if missing: Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated. Existing resources can be remediated by triggering a remediation task. If the tag exists with a different value it will not be changed.
| Click here to see on Azure Portal | Click here to see the JSON file |
|---|
| Previous | Next |
|---|---|
| Azure Policy Best Practices | ARM Templates |