The 'azure-policy' tag is meant to be used on all questions related to authoring, assigning, and grouping of Azure Policy definitions and initiatives. This will improve the visibility of the questions to both the community and Azure Governance product team.
Questions tagged [azure-policy]
480 questions
2
votes
1 answer
Create an azure policy to block role assignments to certain principal types, except when created by specified users
I have a requirement that subscription owners may only create role assignments for applications, not for users and groups. There should be an exception for certain identities that are be allowed to create role assignments for users and groups.
The…
Gert Jan Kraaijeveld
- 1,138
- 7
- 10
2
votes
3 answers
Combining Multiple Value Json Payload using Azure APIM policies
Hi I have a current payload in APIM, which I want to transform into another payload.
Current Payload:
{
"insurance_id": "2112",
"insurer_info": {
"first": "Tony",
"last": "Stark"
}
}
Expected Payload
{
"id": "2112",
…
jkhanbanner
- 59
- 2
2
votes
1 answer
Azure API Management Policy- "rewrite-url" policy
I am trying to create a policy, that will pull the insurer ID out of the input body and put it in the URL as shown in the picture below.
Trying to clean up request body and reconstruct URL so the request can successfuly post to our approve…
jkhan_prog
- 43
- 2
2
votes
1 answer
Azure policies(gatekeeper) monitoring on AKS via Prometheus and Grafana
I have enabled azure policies via terraform and applied to AKS cluster. I can see pods are deployed, up and running. I applied in-built initiative here too with effect "audit" to test out how azure policies works on aks cluster.
$ kubectl get pods…
Veerendra K
- 2,145
- 7
- 32
- 61
2
votes
1 answer
azure policy if condition, can not have 2 resource types?
I'm writting a simple policy, if it's a Azure PaaS SQL, and have public IP in the firewall rule, it will evaluate.
{
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field":…
Roger Chen
- 233
- 3
- 15
2
votes
1 answer
Bicep: azure policy assignment scope
I am trying to deploy an Azure Policy Assignment with Bicep.
resource policy_assignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
name: 'my_policy'
location: 'westus'
scope:…
MoonHorse
- 1,966
- 2
- 24
- 46
2
votes
1 answer
How to use `policy_definition_reference` block with templatefile(path,vars) syntax
I’m working on setting multiple tagging policy definitions using Terraform. I have mentioned the tag definitions with policy definition id’s and parameters in custom json file.
tag_definitions.json
[
{
"parameters": {
"tagName": {
…
Pradeep
- 5,101
- 14
- 68
- 140
2
votes
2 answers
How To use Azure Update management for Automating patch management of all Virtual machines under a subscription including future machines
I have an Azure policy which install Microsoft monitoring agent on all the VMs
I have Automation Account which is linked to the Log analytics workspace.
The Automation Account has a scheduler which has a dynamic query to fetch all the VMs with Tag…
Anjali Loganathan
- 166
- 9
2
votes
1 answer
Azure API Management policy caching of JWKs for JWT validation
I'm trying to implement caching of public key provided by openid-configuration/jwks endpoint of our JWT provider. I want to use cached value for validation of signature of incoming request. We want to have cache in place in order to lower requesting…
Dominik Krišš
- 41
- 4
2
votes
1 answer
Azure policy not creating roles for managed identity when deployed through devOps
I created an azure policy via devops . I had a role enabled as given below(storage contributor). The identity was created for the policy but there was no role assigned to it. So I had to manually create it to run the remediation task. Shouldn't the…
Blue Clouds
- 7,295
- 4
- 71
- 112
2
votes
0 answers
Azure Policy "SSH access from the Internet should be blocked" with effect deny
My goal: Prevent VMs being accessed via SSH by denying NSG rules which allow inbound traffic via the port 22.
I first tried to write a custom policy by myself and then to re-write this policy: SSH access from the Internet should be blocked. But in…
bogg
- 31
- 5
2
votes
1 answer
Restricting Tag Editing, while being Owner of Resource Group
He everyone, I have a subscription where I want to create "sandbox" environments for people. My goal is to give folks a resource group, and make them owner of the Resource Group. They can do anything they want in this little resource group, but…
Chief
- 130
- 10
2
votes
2 answers
How to restrict web site access hosted on Azure based on Country
I have a web site hosted on Azure. I want my web site to be accessed only in US. If someone tries to access my web site from other countries like India, Japan, Russia etc, it should be forbidden. I tried various options like restricting using Azure…
Shalini
- 21
- 3
2
votes
1 answer
Azure Policy to deny role assignments for specific role definition ids (Roles)
Attempting to configure what Azure Role definitions Ids (roles) are allowed to be assigned, via role assignments, utilizing Azure Policy.
The below policies all create with out error, but Azure role assignments are still possible for all roles…
Gvazzana
- 583
- 1
- 8
- 21
2
votes
0 answers
Moving Azure Subscription to New Mgmt Group
We're looking at moving an Azure subscription under a new management group, I just wanted see if there any implications to the workloads running on the subsciption? The subscription is already under a management group, however we are moving it ot a…
Norrin Rad
- 881
- 2
- 18
- 42