AzureRecipes

Policy Assignments for PaaS Applications

The following set of built-in policies is recommended as initial basis for typical PaaS applications. Ideally this are applied to an appropriate Management Group being parent of these applications.

Policy	Resource Type(s)	Configuration	Effect	Purpose
Enable Microsoft Defender for Cloud on your subscription	Subscription	None	DeployIfNotExists	Automatically enables free tier of Microsoft Defender
Require a tag on resource groups	Resource Group	Assigned for following tags according to [1]	Deny	Ensure that Resource Groups have the required tags applied and prevent creation otherwise
Inherit a tag from the resource group if missing	Resource Group	Assigned for following tags according to [1]	Modify	Automatically apply required tags from its parent Resource Group
Not allowed resource types	All	Forbidden resources see [2]	Deny	Avoid expenses and ensure guidelines
Allowed locations	All	Switzerland North & West Europe	Deny	Ensure guidelines
API App should only be accessible over HTTPS	App Service	None	Audit	Security
Function App should only be accessible over HTTPS	App Service	None	Audit	Security
Web Application should only be accessible over HTTPS	App Service	None	Audit	Security
Allowed storage account SKUs	Storage Account	Standard_LRS, Standard_ZRS, Standard_GRS, Standard_RAGRS	Deny	Avoid expenses
Secure transfer to storage accounts should be enabled	Storage Account	None	Audit	Security

[1] According to tagging convention:

• DeployedAt
• DeployedBy
• DeployedFrom

[2] (exkl. prefix “Microsoft.”):

• storsimple/managers
• vmwarecloudsimple/virtualmachines
• vmwarecloudsimple/locations
• vmware/virtualmachines
• vmware/vcenters
• vmware/locations
• sqlvirtualmachine/sqlvirtualmachines
• sqlvirtualmachine/sqlvirtualmachinegroups
• sqlvirtualmachine/locations
• sql/managedinstances
• servicefabric/clusters
• servicefabric/locations
• servicefabric/managedclusters
• offazure/vmwaresites
• offazure/mastersites
• offazure/locations
• offazure/hypervsites
• netapp/netappaccounts
• netapp/locations
• kubernetes/connectedclusters
• kubernetes/locations
• hybridcompute/machines
• hybridcompute/privatelinkscopes
• hybridcompute/locations
• hpcworkbench/instances
• hpcworkbench/locations
• hdinsight/clusterpools
• hdinsight/clusters
• hdinsight/locations
• hardwaresecuritymodules/dedicatedhsms
• hanaonazure/hanainstances
• hanaonazure/locations
• devtestlab/labs
• devtestlab/locations
• desktopvirtualization/applicationgroups
• desktopvirtualization/hostpools
• d365customerinsights/instances
• connectedvmwarevsphere/clusters
• connectedvmwarevsphere/datastores
• connectedvmwarevsphere/hosts
• connectedvmwarevsphere/locations
• connectedvmwarevsphere/vcenters
• connectedvmwarevsphere/virtualmachines
• compute/capacityreservationgroups
• compute/locations
• compute/virtualmachines
• compute/virtualmachinescalesets
• classiccompute/virtualmachines
• baremetalinfrastructure/baremetalinstances
• baremetalinfrastructure/locations
• azurestackhci/clusters
• azurestackhci/locations
• azurestackhci/virtualmachines
• azurestack/registrations
• azuresphere/catalogs
• azuresphere/locations
• avs/locations
• avs/privateclouds

Best Practices

• Create a User-assigned Managed Identity in advance with the roles Contributor and Security Admin on the Management Group. Use this identity in policy assignments, this prevents the generation of hardly identifiable Service Principals.
• Especially policy assignments with many configurations (like the Not allowed resource types) may be hardly manageable in the Azure Portal UI. Consider its definition with ARM/Bicep templates and an according deployment process.
• Tip: Azure CLI command to show current assignments: az policy assignment list --scope "/providers/Microsoft.Management/managementGroups/mg-applications"

References

• MSDN Azure Policy built-in policy definitions

This site is open source. Improve this page.