EnterprisePolicyAsCode

7.1.6

policyAssignments/CAF-IdentityMG-Default.json

{
    "nodeName": "/Identity/",
    "scope": {
        "tenant1": [
            "/providers/Microsoft.Management/managementGroups/identity"
        ]
    },
    "children": [
        {
            "nodeName": "Networking/",
            "children": [
                {
                    "nodeName": "PublicIP",
                    "assignment": {
                        "name": "Deny-Public-IP",
                        "displayName": "Deny the creation of public IP",
                        "description": "This policy denies creation of Public IPs under the assigned scope."
                    },
                    "definitionEntry": {
                        "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
                        "friendlyNameToDocumentIfGuid": "Deny Public IP"
                    },
                    "parameters": {
                        "listOfResourceTypesNotAllowed": [
                            "Microsoft.Network/publicIPAddresses"
                        ],
                        "effect": "Deny"
                    }
                },
                {
                    "nodeName": "DenyMgmt",
                    "assignment": {
                        "name": "Deny-MgmtPorts-Internet",
                        "displayName": "Management port access from the Internet should be blocked",
                        "description": "This policy denies any network security rule that allows management port access from the Internet"
                    },
                    "definitionEntry": {
                        "policyName": "Deny-MgmtPorts-From-Internet",
                        "friendlyNameToDocumentIfGuid": "Deny Management Ports"
                    }
                },
                {
                    "nodeName": "NoNSG",
                    "assignment": {
                        "name": "Deny-Subnet-Without-Nsg",
                        "displayName": "Subnets should have a Network Security Group",
                        "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets."
                    },
                    "definitionEntry": {
                        "policyName": "Deny-Subnet-Without-Nsg",
                        "friendlyNameToDocumentIfGuid": "Deny Subnet without NSG"
                    }
                }
            ]
        },
        {
            "nodeName": "Compute/",
            "children": [
                {
                    "nodeName": "Backup",
                    "assignment": {
                        "name": "Deploy-VM-Backup",
                        "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy",
                        "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag."
                    },
                    "definitionEntry": {
                        "policyId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86",
                        "friendlyNameToDocumentIfGuid": "Deploy VM Backup"
                    },
                    "parameters":{
                        "exclusionTagName": "",
                        "exclusionTagValue": [
                             
                        ]
                    }
                }
            ]
        }
    ]
}