policyAssignments/CAF-IdentityMG-Default.json
|
{
"$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", "nodeName": "/Identity/", "scope": { "tenant1": [ "/providers/Microsoft.Management/managementGroups/identity" ] }, "children": [ { "nodeName": "Networking/", "children": [ { "nodeName": "PublicIP", "assignment": { "name": "Deny-Public-IP", "displayName": "Deny the creation of public IP", "description": "This policy denies creation of Public IPs under the assigned scope." }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", "displayName": "Deny Public IP" }, "parameters": { "listOfResourceTypesNotAllowed": [ "Microsoft.Network/publicIPAddresses" ], "effect": "Deny" }, "nonComplianceMessages": [ { "message": "Public IPs must not be created under this scope." } ] }, { "nodeName": "DenyMgmt", "assignment": { "name": "Deny-MgmtPorts-Internet", "displayName": "Management port access from the Internet should be blocked", "description": "This policy denies any network security rule that allows management port access from the Internet" }, "definitionEntry": { "policyName": "Deny-MgmtPorts-From-Internet", "displayName": "Deny Management Ports" }, "nonComplianceMessages": [ { "message": "Management port access from the Internet must be blocked." } ] }, { "nodeName": "NoNSG", "assignment": { "name": "Deny-Subnet-Without-Nsg", "displayName": "Subnets should have a Network Security Group", "description": "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets." }, "definitionEntry": { "policyName": "Deny-Subnet-Without-Nsg", "displayName": "Deny Subnet without NSG" }, "nonComplianceMessages": [ { "message": "Subnets must have a Network Security Group." } ] } ] }, { "nodeName": "Compute/", "children": [ { "nodeName": "Backup", "assignment": { "name": "Deploy-VM-Backup", "displayName": "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy", "description": "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag." }, "definitionEntry": { "policyId": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", "displayName": "Deploy VM Backup" }, "parameters": { "exclusionTagName": "", "exclusionTagValue": [] }, "nonComplianceMessages": [ { "message": "Backup on virtual machines without a given tag must be configured to a new recovery services vault with a default policy." } ] } ] } ] } |