The following set of built-in policies is recommended as initial basis for typical PaaS applications. Ideally this are applied to an appropriate Management Group being parent of these applications.
| Policy | Resource Type(s) | Configuration | Effect | Purpose |
|---|---|---|---|---|
| Enable Microsoft Defender for Cloud on your subscription | Subscription | None | DeployIfNotExists | Automatically enables free tier of Microsoft Defender |
| Require a tag on resource groups | Resource Group | Assigned for following tags according to [1] | Deny | Ensure that Resource Groups have the required tags applied and prevent creation otherwise |
| Inherit a tag from the resource group if missing | Resource Group | Assigned for following tags according to [1] | Modify | Automatically apply required tags from its parent Resource Group |
| Not allowed resource types | All | Forbidden resources see [2] | Deny | Avoid expenses and ensure guidelines |
| Allowed locations | All | Switzerland North & West Europe | Deny | Ensure guidelines |
| API App should only be accessible over HTTPS | App Service | None | Audit | Security |
| Function App should only be accessible over HTTPS | App Service | None | Audit | Security |
| Web Application should only be accessible over HTTPS | App Service | None | Audit | Security |
| Allowed storage account SKUs | Storage Account | Standard_LRS, Standard_ZRS, Standard_GRS, Standard_RAGRS | Deny | Avoid expenses |
| Secure transfer to storage accounts should be enabled | Storage Account | None | Audit | Security |
[1] According to tagging convention:
- DeployedAt
- DeployedBy
- DeployedFrom
[2] (exkl. prefix “Microsoft.”):
- storsimple/managers
- vmwarecloudsimple/virtualmachines
- vmwarecloudsimple/locations
- vmware/virtualmachines
- vmware/vcenters
- vmware/locations
- sqlvirtualmachine/sqlvirtualmachines
- sqlvirtualmachine/sqlvirtualmachinegroups
- sqlvirtualmachine/locations
- sql/managedinstances
- servicefabric/clusters
- servicefabric/locations
- servicefabric/managedclusters
- offazure/vmwaresites
- offazure/mastersites
- offazure/locations
- offazure/hypervsites
- netapp/netappaccounts
- netapp/locations
- kubernetes/connectedclusters
- kubernetes/locations
- hybridcompute/machines
- hybridcompute/privatelinkscopes
- hybridcompute/locations
- hpcworkbench/instances
- hpcworkbench/locations
- hdinsight/clusterpools
- hdinsight/clusters
- hdinsight/locations
- hardwaresecuritymodules/dedicatedhsms
- hanaonazure/hanainstances
- hanaonazure/locations
- devtestlab/labs
- devtestlab/locations
- desktopvirtualization/applicationgroups
- desktopvirtualization/hostpools
- d365customerinsights/instances
- connectedvmwarevsphere/clusters
- connectedvmwarevsphere/datastores
- connectedvmwarevsphere/hosts
- connectedvmwarevsphere/locations
- connectedvmwarevsphere/vcenters
- connectedvmwarevsphere/virtualmachines
- compute/capacityreservationgroups
- compute/locations
- compute/virtualmachines
- compute/virtualmachinescalesets
- classiccompute/virtualmachines
- baremetalinfrastructure/baremetalinstances
- baremetalinfrastructure/locations
- azurestackhci/clusters
- azurestackhci/locations
- azurestackhci/virtualmachines
- azurestack/registrations
- azuresphere/catalogs
- azuresphere/locations
- avs/locations
- avs/privateclouds
- Create a User-assigned Managed Identity in advance with the roles
ContributorandSecurity Adminon the Management Group. Use this identity in policy assignments, this prevents the generation of hardly identifiable Service Principals. - Especially policy assignments with many configurations (like the
Not allowed resource types) may be hardly manageable in the Azure Portal UI. Consider its definition with ARM/Bicep templates and an according deployment process. - Tip: Azure CLI command to show current assignments:
az policy assignment list --scope "/providers/Microsoft.Management/managementGroups/mg-applications"