Forum Widgets
Latest Discussions
Restrict Cost Consumption by using Azure Automation, Budget and Policy
Video See the demo video by using below link Demonstration Video Automation Runbook Logic Logic which set tag value once threshold exceeds # Authenticate using Managed Identity (recommended for Automation Accounts) Connect-AzAccount -Identity # Define Subscription ID and Reset Tag $subscriptionId = (Get-AzContext).Subscription.Id $tags = @{ "cost exceeded" = "yes" } # Resetting the tag value # Update the tag Update-AzTag -ResourceId "/subscriptions/$subscriptionId" -Tag $tags -Operation Merge Write-Output "Tag 'cost exceeded' reset to 'yes' for subscription $subscriptionId" Logic which reset tag value every month # Authenticate using Managed Identity (recommended for Automation Accounts) Connect-AzAccount -Identity # Define Subscription ID and Reset Tag $subscriptionId = (Get-AzContext).Subscription.Id $tags = @{ "cost exceeded" = "no" } # Resetting the tag value # Update the tag Update-AzTag -ResourceId "/subscriptions/$subscriptionId" -Tag $tags -Operation Merge Write-Output "Tag 'cost exceeded' reset to 'no' for subscription $subscriptionId" Azure Policy Logic { "properties": { "displayName": "budget", "policyType": "Custom", "mode": "All", "metadata": { "version": "1.0.0", "createdBy": "f6bb4303-e52d-4cba-9790-01f0798164b7", "createdOn": "2025-03-13T05:08:05.8483517Z", "updatedBy": "f6bb4303-e52d-4cba-9790-01f0798164b7", "updatedOn": "2025-03-13T06:32:35.1740944Z" }, "version": "1.0.0", "parameters": {}, "policyRule": { "if": { "allOf": [ { "field": "type", "notEquals": "Microsoft.Resources/subscriptions" }, { "value": "[subscription().tags['cost exceeded']]", "equals": "yes" } ] }, "then": { "effect": "Deny" } }, "versions": [ "1.0.0" ] }, }
Azure Policy require multiple tags with values
I have a policy that requires specific tag with specific values (json below), but I want to require more tags within the same policy also with specific value and not sure how to do it... Is there a way to add more tags with specific values to the same policy? For example, I want to require two tags: environment with prod/non-prod and department with Infra/Finance Is it possible? Thank you! { "properties": { "displayName": "Require tag environment and its values on resources ", "policyType": "Custom", "mode": "Indexed", "description": "Enforces a required tag environment and its value. Does not apply to resource groups.", "metadata": { "category": "Tags", "createdBy": "" "createdOn": "" "updatedBy": "" "updatedOn": "" }, "version": "1.0.0", "parameters": { "tagName": { "type": "String", "metadata": { "displayName": "Tag Name1", "description": "Name of the tag, such as 'environment'" }, "allowedValues": [ "environment" ] }, "tagValue": { "type": "Array", "metadata": { "displayName": "Tag Value1", "description": "Value of the tag, such as 'production'" }, "allowedValues": [ "prod", "non-prod" ] } }, "policyRule": { "if": { "not": { "field": "[concat('tags[', parameters('tagName'), ']')]", "in": "[parameters('tagValue')]" } }, "then": { "effect": "deny" } }, "versions": [ "1.0.0" ] }, } }What's the best way to report a bug?
I believe I have found a bug in the Azure Portal UI but how do I report this without incurring the cost of opening a support ticket? The issue is that I have created a couple of static websites in Blob Storage. I created a CDN Endpoint and assigned a custom domain. When I do this I should see a list of Endpoints under Azure CDN Endpoints but I don't. The only way to find it is to go to CDN Profiles where I find the endpoints listed.
Azure Resource Graph query to get subscription properties
I am very new to ARG queries. I am struggling to figure out how to get a list of our Azure Subscriptions using ARG, including some of the properties you see on the properties pane when using the azure portal. In particular, I want the property visually labelled "ACCOUNT ADMIN". Can anyone point me in the right direction? resourcecontainers | where type == 'microsoft.resources/subscriptions' | project subscriptionId, name, owner = ???
Microsoft Cloud Security Benchmark policies not reporting in Defender for Cloud
We enable the MCSB security policy at our tenant level and manage compliance via Defender for Cloud. However, I have found that some of the policies are listed are not showing in the Defender for Cloud recommendations. For example, the policy "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled" is visible via Defender for Cloud>Environment Settings>Security Policies>MCSB and is linked to Policy Id 0c28c3fb-c244-42d5-a9bf-f35f2999577b. Within Azure Policy Compliance, I can find the policy in the assignment for MCSB and it reports both compliant and non-compliant resources in my tenant. However, there is nothing reported in Defender for Cloud for the policy under the Recommendations>All Recommendations. I have checked the filters applied and know it should be there - the similar policy is showing correctly (named "Azure SQL Managed Instance authentication mode should be Azure Active Directory Only" in the recommendation and security policies, and named "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation" in Azure Policy - 78215662-041e-49ed-a9dd-5385911b3a1f). Any suggestions on what could be causing this behaviour ? Regards Dominic
How to get Policy "Windows VMs should enable ADE or EncryptionAtHost." to be compliant?
Advisor noticed that Azure Disk Encryption is missing on my VMs and gave me the following recommendation: "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost." A couple of weeks ago I installed the AzurePolicyforWindows extension on one of the machines. Its status changed to compliant. Two days ago, I did the same for all other VMs but their statuses haven't changed. Am I missing something or are the policies messing with me?Azure Inherited roles, but still access denied
Hi, In e.g. Key Vault, when looking for the Access Control I can see that user account have custom contributor role inherited from the subscription level. When looking for the role more deeply it shows: "Showing 500 of 15937 permissions View all (will take a moment to load)" E.g. having the following permissions: Read Secret Properties and Write Secret. So all should be kind of okay..? 🙂 But when I'm looking for the e.g. secrets in the key vault, it gives me back "The operation is not allowed by RBAC." and "You are unauthorized to view these contents.". I thought there could be a "deny" rules, but nothing in there either. What could be the trick on here? What might be blocking or missing the access to the resources. Btw, I just tested, I was able to create the Key Vault by myself.
