policyAssignments/CAF-RootMG-Default.json

{
    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json",
    "nodeName": "/Root/",
    "scope": {
        "tenant1": [
            "/providers/Microsoft.Management/managementGroups/toplevelmanagementgroup"
        ]
    },
    "parameters": {
        "logAnalytics": "",
        "logAnalytics_1": "",
        "emailSecurityContact": "",
        "ascExportResourceGroupName": "mdfc-export",
        "ascExportResourceGroupLocation": ""
    },
    "children": [
        {
            "nodeName": "Security/",
            "children": [
                {
                    "nodeName": "ASB",
                    "assignment": {
                        "name": "Deploy-ASC-Monitoring",
                        "displayName": "Microsoft Cloud Security Benchmark",
                        "description": "Microsoft Cloud Security Benchmark policy initiative"
                    },
                    "definitionEntry": {
                        "policySetName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8",
                        "friendlyNameToDocumentIfGuid": "Microsoft Cloud Security Benchmark"
                    },
                    "parameters": {},
                    "nonComplianceMessages": [
                        {
                            "message": "Microsoft Cloud Security Benchmark must be met."
                        }
                    ]
                },
                {
                    "nodeName": "MDFC",
                    "assignment": {
                        "name": "Deploy-MDFC-Config",
                        "displayName": "Deploy Microsoft Defender for Cloud configuration",
                        "description": "Deploy Microsoft Defender for Cloud and Security Contacts"
                    },
                    "definitionEntry": {
                        "policySetName": "Deploy-MDFC-Config",
                        "friendlyNameToDocumentIfGuid": "Microsoft Defender For Cloud"
                    },
                    "parameters": {
                        "enableAscForServers": "Disabled",
                        "enableAscForSql": "Disabled",
                        "enableAscForAppServices": "Disabled",
                        "enableAscForStorage": "Disabled",
                        "enableAscForContainers": "Disabled",
                        "enableAscForKeyVault": "Disabled",
                        "enableAscForSqlOnVm": "Disabled",
                        "enableAscForArm": "Disabled",
                        "enableAscForDns": "Disabled",
                        "enableAscForOssDb": "Disabled",
                        "enableAscForCosmosDbs": "Disabled",
                        "enableAscForServersVulnerabilityAssessments": "Disabled",
                        "enableAscForApis": "Disabled",
                        "enableAscForCspm": "Disabled"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Microsoft Defender for Cloud and Security Contacts must be deployed."
                        }
                    ]
                },
                {
                    "nodeName": "MDFE",
                    "assignment": {
                        "name": "Deploy-MDEndpoints",
                        "displayName": "[Preview]: Deploy Microsoft Defender for Endpoint agent",
                        "description": "Deploy Microsoft Defender for Endpoint agent on applicable images."
                    },
                    "definitionEntry": {
                        "policySetName": "e20d08c5-6d64-656d-6465-ce9e37fd0ebc",
                        "friendlyNameToDocumentIfGuid": "Microsoft Defender for Endpoint agent"
                    },
                    "parameters": {
                        "microsoftDefenderForEndpointWindowsVmAgentDeployEffect": "DeployIfNotExists",
                        "microsoftDefenderForEndpointLinuxVmAgentDeployEffect": "DeployIfNotExists",
                        "microsoftDefenderForEndpointWindowsArcAgentDeployEffect": "DeployIfNotExists",
                        "microsoftDefenderForEndpointLinuxArcAgentDeployEffect": "DeployIfNotExists"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Microsoft Defender for Endpoint agent must be deployed on applicable images."
                        }
                    ]
                },
                {
                    "nodeName": "MDFEOSSDB",
                    "assignment": {
                        "name": "Deploy-MDFC-OssDb",
                        "displayName": "Configure Advanced Threat Protection to be enabled on open-source relational databases",
                        "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu."
                    },
                    "definitionEntry": {
                        "policySetName": "e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e",
                        "friendlyNameToDocumentIfGuid": "Microsoft Defender for Endpoint open-source relational databases"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Advanced Threat Protection must be enabled on open-source relational databases."
                        }
                    ]
                },
                {
                    "nodeName": "MDFCSQLATP",
                    "assignment": {
                        "name": "Deploy-MDFC-SqlAtp",
                        "displayName": "Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances",
                        "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases."
                    },
                    "definitionEntry": {
                        "policySetName": "9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97",
                        "friendlyNameToDocumentIfGuid": "Microsoft Defender for SQL Servers and SQL Managed Instances"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Azure Defender must be enabled on SQL Servers and SQL Managed Instances."
                        }
                    ]
                },
                {
                    "nodeName": "ACSB",
                    "assignment": {
                        "name": "Enforce-ACSB",
                        "displayName": "Enforce Azure Compute Security Baseline compliance auditing",
                        "description": "This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines."
                    },
                    "definitionEntry": {
                        "policySetName": "Enforce-ACSB",
                        "friendlyNameToDocumentIfGuid": "Azure Compute Security Baseline"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Azure Compute Security Baseline compliance auditing must be enforced."
                        }
                    ]
                }
            ]
        },
        {
            "nodeName": "Logging/",
            "children": [
                {
                    "nodeName": "ActivityLogs",
                    "assignment": {
                        "name": "Deploy-AzActivity-Log",
                        "displayName": "Configure Azure Activity logs to stream to specified Log Analytics workspace",
                        "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events"
                    },
                    "definitionEntry": {
                        "policyName": "2465583e-4e78-4c15-b6be-a36cbc7c8b0f",
                        "friendlyNameToDocumentIfGuid": "Activity Logs"
                    },
                    "parameters": {},
                    "nonComplianceMessages": [
                        {
                            "message": "Azure Activity logs must be configured to stream to specified Log Analytics workspace."
                        }
                    ]
                },
                {
                    "nodeName": "ResourceDiagnostics",
                    "assignment": {
                        "name": "Deploy-Resource-Diag",
                        "displayName": "Deploy-Resource-Diag",
                        "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace."
                    },
                    "definitionEntry": {
                        "policySetName": "Deploy-Diagnostics-LogAnalytics",
                        "friendlyNameToDocumentIfGuid": "Resource Diagnostics"
                    },
                    "parameters": {},
                    "nonComplianceMessages": [
                        {
                            "message": "Diagnostic settings must be deployed to Azure services."
                        }
                    ]
                }
            ]
        },
        {
            "nodeName": "Compute/",
            "children": [
                {
                    "nodeName": "VMMonitoring",
                    "assignment": {
                        "name": "Deploy-VM-Monitoring",
                        "displayName": "Enable Azure Monitor for VMs",
                        "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter."
                    },
                    "definitionEntry": {
                        "policySetName": "55f3eceb-5573-4f18-9695-226972c6d74a",
                        "friendlyNameToDocumentIfGuid": "VM Monitoring"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Azure Monitor must be enabled for Virtual Machines."
                        }
                    ]
                },
                {
                    "nodeName": "VMSSMonitoring",
                    "assignment": {
                        "name": "Deploy-VMSS-Monitoring",
                        "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets",
                        "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances."
                    },
                    "definitionEntry": {
                        "policySetName": "75714362-cae7-409e-9b99-a8e5075b7fad",
                        "friendlyNameToDocumentIfGuid": "VMSS Monitoring"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Azure Monitor must be enabled for Virtual Machine Scale Sets."
                        }
                    ]
                },
                {
                    "nodeName": "DenyUnmanagedDisk",
                    "assignment": {
                        "name": "Deny-UnmanagedDisk",
                        "displayName": "Deny virtual machines and virtual machine scale sets that do not use managed disk",
                        "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields."
                    },
                    "definitionEntry": {
                        "policyName": "06a78e20-9358-41c9-923c-fb736d382a4d",
                        "friendlyNameToDocumentIfGuid": "Unmanaged Disks"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Virtual machines and virtual machine scales sets must use a managed disk."
                        }
                    ],
                    "overrides": [
                        {
                            "kind": "policyEffect",
                            "value": "Deny"
                        }
                    ]
                }
            ]
        },
        {
            "nodeName": "Platform/",
            "children": [
                {
                    "nodeName": "DenyClassicResources",
                    "assignment": {
                        "name": "Deny-Classic-Resources",
                        "displayName": "Deny the deployment of classic resources",
                        "description": "Denies deployment of classic resource types under the assigned scope."
                    },
                    "definitionEntry": {
                        "policyName": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749",
                        "friendlyNameToDocumentIfGuid": "Deny Classic Resources"
                    },
                    "parameters": {
                        "listOfResourceTypesNotAllowed": [
                            "Microsoft.ClassicCompute/capabilities",
                            "Microsoft.ClassicCompute/checkDomainNameAvailability",
                            "Microsoft.ClassicCompute/domainNames",
                            "Microsoft.ClassicCompute/domainNames/capabilities",
                            "Microsoft.ClassicCompute/domainNames/internalLoadBalancers",
                            "Microsoft.ClassicCompute/domainNames/serviceCertificates",
                            "Microsoft.ClassicCompute/domainNames/slots",
                            "Microsoft.ClassicCompute/domainNames/slots/roles",
                            "Microsoft.ClassicCompute/domainNames/slots/roles/metricDefinitions",
                            "Microsoft.ClassicCompute/domainNames/slots/roles/metrics",
                            "Microsoft.ClassicCompute/moveSubscriptionResources",
                            "Microsoft.ClassicCompute/operatingSystemFamilies",
                            "Microsoft.ClassicCompute/operatingSystems",
                            "Microsoft.ClassicCompute/operations",
                            "Microsoft.ClassicCompute/operationStatuses",
                            "Microsoft.ClassicCompute/quotas",
                            "Microsoft.ClassicCompute/resourceTypes",
                            "Microsoft.ClassicCompute/validateSubscriptionMoveAvailability",
                            "Microsoft.ClassicCompute/virtualMachines",
                            "Microsoft.ClassicCompute/virtualMachines/diagnosticSettings",
                            "Microsoft.ClassicCompute/virtualMachines/metricDefinitions",
                            "Microsoft.ClassicCompute/virtualMachines/metrics",
                            "Microsoft.ClassicInfrastructureMigrate/classicInfrastructureResources",
                            "Microsoft.ClassicNetwork/capabilities",
                            "Microsoft.ClassicNetwork/expressRouteCrossConnections",
                            "Microsoft.ClassicNetwork/expressRouteCrossConnections/peerings",
                            "Microsoft.ClassicNetwork/gatewaySupportedDevices",
                            "Microsoft.ClassicNetwork/networkSecurityGroups",
                            "Microsoft.ClassicNetwork/operations",
                            "Microsoft.ClassicNetwork/quotas",
                            "Microsoft.ClassicNetwork/reservedIps",
                            "Microsoft.ClassicNetwork/virtualNetworks",
                            "Microsoft.ClassicNetwork/virtualNetworks/remoteVirtualNetworkPeeringProxies",
                            "Microsoft.ClassicNetwork/virtualNetworks/virtualNetworkPeerings",
                            "Microsoft.ClassicStorage/capabilities",
                            "Microsoft.ClassicStorage/checkStorageAccountAvailability",
                            "Microsoft.ClassicStorage/disks",
                            "Microsoft.ClassicStorage/images",
                            "Microsoft.ClassicStorage/operations",
                            "Microsoft.ClassicStorage/osImages",
                            "Microsoft.ClassicStorage/osPlatformImages",
                            "Microsoft.ClassicStorage/publicImages",
                            "Microsoft.ClassicStorage/quotas",
                            "Microsoft.ClassicStorage/storageAccounts",
                            "Microsoft.ClassicStorage/storageAccounts/blobServices",
                            "Microsoft.ClassicStorage/storageAccounts/fileServices",
                            "Microsoft.ClassicStorage/storageAccounts/metricDefinitions",
                            "Microsoft.ClassicStorage/storageAccounts/metrics",
                            "Microsoft.ClassicStorage/storageAccounts/queueServices",
                            "Microsoft.ClassicStorage/storageAccounts/services",
                            "Microsoft.ClassicStorage/storageAccounts/services/diagnosticSettings",
                            "Microsoft.ClassicStorage/storageAccounts/services/metricDefinitions",
                            "Microsoft.ClassicStorage/storageAccounts/services/metrics",
                            "Microsoft.ClassicStorage/storageAccounts/tableServices",
                            "Microsoft.ClassicStorage/storageAccounts/vmImages",
                            "Microsoft.ClassicStorage/vmImages",
                            "Microsoft.ClassicSubscription/operations"
                        ]
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Classic resources must not be deployed."
                        }
                    ]
                },
                {
                    "nodeName": "UnusedResources",
                    "assignment": {
                        "name": "Audit-UnusedResources",
                        "displayName": "Unused resources driving cost should be avoided",
                        "description": "This Policy initiative is a group of Policy definitions that help optimize cost by detecting unused but chargeable resources. Leverage this Policy initiative as a cost control to reveal orphaned resources that are driving cost."
                    },
                    "definitionEntry": {
                        "policySetName": "Audit-UnusedResourcesCostOptimization",
                        "friendlyNameToDocumentIfGuid": "Unused Resources"
                    },
                    "nonComplianceMessages": [
                        {
                            "message": "Unused resources driving cost must be avoided."
                        }
                    ]
                }
            ]
        }
    ]
}