Forum Widgets
Latest Discussions
We never really knew if our Azure followed CAF or Well-Architected — so we built something
For years we ran Azure environments professionally and CAF and WAF reviews were always the same story. A consultant every 12-18 months, a thick PDF, good intentions — and then nothing until the next one. The problem wasn't that we didn't care. It was that there was no lightweight way to track it continuously. Defender had some parts of CIS. WAF had the assessment tool. CAF had... a whitepaper and a spreadsheet we kept meaning to update. We couldn't answer basic questions like: are we getting better or worse? Which subscriptions are drifting? What would an auditor actually see if they looked at our CAF posture today? Eventually we got frustrated enough to build Anubion — it connects agentlessly to your Azure tenant and runs continuous checks across CIS, CAF, and WAF in one place, with findings prioritised and evidence stored over time. Happy to share more if anyone's interested. But also genuinely curious — how are other teams handling CAF and WAF tracking between formal assessments? If anyone is curious about their scores, you can sign up for at 14 day free trial. The setup is short and you only need a read-only service principal. Check out https://anubion.io/#request-access
How to apply policy initiative Azure
Hello Mightly Wizards, trying to Assign an Azure Policy Initiative via power shell: step 1: New-AzPolicySetDefinition -Name 'DATABASE_OPEN_SOURCE_ID' -ManagementGroupName MGname -DisplayName 'DATABASES OPEN SOURCE' -PolicyDefinition "C:\path\initiatives\DATABASES_-_OPEN_SOURCE\policyset1.json" note policyset1.json comes from exporting to GitHub Initiative definition and assignment error ew-AzPolicySetDefinition : InvalidRequestContent : The request content was invalid and could not be deserialized: 'Could not find member 'properties' on object of type 'PolicyDefinitionReference'. Path 'properties.policyDefinitions[0].properties', line 7, position 21.'. CorrelationId: f01ee272-73c1-43b7-99fc-51a67650463a At line:1 char:1 + New-AzPolicySetDefinition -Name 'DATABASE_OPEN_SOURCE_ID' -Management ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (:) [New-AzPolicySetDefinition], ErrorResponseMessageException + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzurePolicySetDefinitionCmdlet First question. How does this file have to be formatted? can you give me an example? Second question how to assign this definition? With New-AzPolicyAssignment? Thank you in advance for yout reply. giuseppe
Deploying access packages as code
I know Microsoft graph can be used to automatically create access packages in Azure AD however it would be useful if a Terraform registry would eventually become available to deploy access packages using Terraform so you can manage your access packages in code. #AzureAD #IAC #accesspackagesFixing "Authentication to Linux machines should require SSH keys"
I have many Linux VMs running Centos 7.8 that are currently failing on this policy. Policy source is https://github.com/Azure/azure-policy/blob/58fcf068ecb5e96d23958d9799cf872e687a1a4a/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_LinuxNoPasswordForSSH_AINE.json and the "then" clause is: "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.GuestConfiguration/guestConfigurationAssignments", "name": "LinuxNoPasswordForSSH", "existenceCondition": { "field": "Microsoft.GuestConfiguration/guestConfigurationAssignments/complianceStatus", "equals": "Compliant" } } } My VMs are configured as follows without the "guestConfiguration" but with password login disabled. { "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED", "name": "REDACTED", "type": "Microsoft.Compute/virtualMachines", "location": "westeurope", "tags": { ... }, "properties": { "vmId": "REDACTED", "hardwareProfile": { "vmSize": "Standard_B1ms" }, "storageProfile": { "imageReference": { "publisher": "OpenLogic", "offer": "CentOS", "sku": "7_8", "version": "7.8.2021020400", "exactVersion": "7.8.2021020400" }, "osDisk": { "osType": "Linux", "name": "REDACTED", "createOption": "FromImage", "caching": "ReadOnly", "managedDisk": { "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/disks/REDACTED" }, "deleteOption": "Detach" }, "dataDisks": [ { "lun": 0, "name": "REDACTED", "createOption": "Empty", "caching": "ReadOnly", "managedDisk": { "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/disks/REDACTED" }, "deleteOption": "Detach", "toBeDetached": false } ] }, "osProfile": { "computerName": "REDACTED", "adminUsername": "REDACTED", "linuxConfiguration": { "disablePasswordAuthentication": true, "ssh": { "publicKeys": [ { "path": "REDACTED", "keyData": "REDACTED" } ] }, "provisionVMAgent": true, "patchSettings": { "patchMode": "ImageDefault", "assessmentMode": "ImageDefault" }, "enableVMAgentPlatformUpdates": false }, "secrets": [], "allowExtensionOperations": true }, "networkProfile": { "networkInterfaces": [ { "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Network/networkInterfaces/REDACTED", "properties": { "primary": true } } ] }, "provisioningState": "Succeeded", "timeCreated": "2023-01-16T00:14:48.5932025+00:00" }, "resources": [ { "name": "LinuxAgent.AzureSecurityCenter", "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED/extensions/LinuxAgent.AzureSecurityCenter", "type": "Microsoft.Compute/virtualMachines/extensions", "location": "westeurope", "properties": { "autoUpgradeMinorVersion": false, "provisioningState": "Succeeded", "publisher": "Qualys", "type": "LinuxAgent.AzureSecurityCenter", "typeHandlerVersion": "1.0", "settings": { "LicenseCode": "REDACTED", "GrayLabel": { "CustomerID": "REDACTED", "ResourceID": "REDACTED" } } } }, { "name": "OmsAgentForLinux", "id": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.Compute/virtualMachines/REDACTED/extensions/OmsAgentForLinux", "type": "Microsoft.Compute/virtualMachines/extensions", "location": "westeurope", "properties": { "autoUpgradeMinorVersion": true, "provisioningState": "Succeeded", "enableAutomaticUpgrade": false, "publisher": "Microsoft.EnterpriseCloud.Monitoring", "type": "OmsAgentForLinux", "typeHandlerVersion": "1.0", "settings": { "workspaceId": "REDACTED" } } } ] } What is the added value of having guest configuration in this case and how to deploy the resources needed to comply with this policy? I deploy VMs using AnsibleAzure Advisor aggregate score for 2+ subscriptions - how is it calculated?
Dear all, I would like to understand how Azure Advisor calculates aggregations for the 5 pillars, for multiple subscriptions. In the example below we have values for Azure Advisor subscription 1 – (Cost = 68, Security = 47, Reliability = 86, Operational Excellence = 83, Performance = 100) And subsequently values for Azure Advisor subscription 2 - (Cost = 35, Security = 69, Reliability = 91, Operational Excellence = 79, Performance = 100) When selecting both subscriptions, we obtain the aggregate values – Naively I might have expected that the aggregate advisor scores could be the arithmetic average between the two, but that is not the case. Any help is much appreciated! ❤️ Thank you very much in advance, Best Regards, Eva
Azure Policy - Enable Hybrid Use Benefit
Hello there. I'm struggling with a custom policy. My requirements are the following: Enable Hybrid Use Benefit for Microsoft.Compute/virtualMachines (properties.licenseType=Windows_Server) Work for both Marketplace and not-Marketplace virtual machines (ASRed, etc) Fix deployments that are done without it enabled Allow remediation of existing resources Initially I found https://github.com/Azure/Community-Policy/blob/master/Policies/Compute/deploy-hybrid-benefit-windows/azurepolicy.json which works for Marketplace, but not for VMs without imagePublisher and imageOffer. I identified properties.storageProfile.osDisk.osType as another way to identify Windows machines. The full policy if below, but it only works for remediation, it does not work for new deployments. What am I doing wrong? I also found this issue, which suggests adding a licenseType to the If, but then the all resources are in compliance: https://github.com/Azure/azure-policy/issues/426 remediation does not work and new resources don't as well. Any help is very appreciated! { "displayName": "Deploy Azure Hybrid Benefit for Windows.", "mode": "Indexed", "description": "This policy ensures virtual machines are configured for Azure Hybrid Benefit for Windows Server - https://docs.microsoft.com/en-us/azure/virtual-machines/windows/hybrid-use-benefit-licensing#ways-to-use-azure-hybrid-benefit-for-windows-server.", "metadata": { "category": "Compute", "version": "1.0.1" }, "parameters": { "effect": { "type": "string", "metadata": { "displayName": "Effects", "description": "Enable or disable the execution of the Policy." }, "allowedValues": [ "DeployIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" } }, "policyRule": { "if": { "allOf": [{ "field": "type", "equals": "Microsoft.Compute/virtualMachines" }, { "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", "equals": "Windows" } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Compute/virtualMachines", "existenceCondition": { "allOf": [ { "field": "Microsoft.Compute/virtualMachines/licenseType", "equals": "Windows_Server" } ] }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" ], "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "vmName": { "type": "String" }, "licenseType": { "defaultValue": "None", "type": "String", "allowedValues" : [ "None", "Windows_Server" ] } }, "variables": {}, "resources": [ { "type": "Microsoft.Compute/virtualMachines", "apiVersion": "2021-03-01", "name": "[parameters('vmName')]", "location": "[resourceGroup().location]", "properties": { "licenseType": "[parameters('licenseType')]" } } ], "outputs": { "policy": { "type": "string", "value": "[concat('Changed LicenseType for Windows VM', ': ', parameters('vmName'), '- ', parameters('licenseType'))]" } } }, "parameters": { "vmName": { "value": "[field('name')]" }, "licenseType": { "value": "Windows_Server" } } } } } } } } Thanks, Joel.
Misplacement of schema in AllowedHostPathVolumesInKubernetesClusterList Policy Parameter?
In the Microsoft Cloud Security Benchmark, the policy parameter `AllowedHostPathVolumesInKubernetesClusterList` defines a `schema` object nested under metadata. Is this placement intentional, or should the schema be defined at the top level of the parameter https://github.com/Azure/azure-policy/blob/303a0000a3b9d1aed7361c69edaafd4340d37df7/built-in-policies/policySetDefinitions/Azure%20Government/Security%20Center/AzureSecurityCenter.json#L4132
Query for NZ ISM versions
What are the different between NZ_ISM_Restricted_v3_5 and nz_ism.? azure-policy/built-in-policies/policySetDefinitions/Regulatory Compliance/NZ_ISM_Restricted_v3_5.json at master · Azure/azure-policy · GitHub azure-policy/built-in-policies/policySetDefinitions/Regulatory Compliance/nz_ism.json at master · Azure/azure-policy · GitHub Also, I see the latest version of NZ ISM is 3.6. Will we have the latest update for NZ ISM?
Amortized costs in Azure Budgets
Currently Azure budgets can only evaluate actual spend, there is no option to evaluate amortized cost. This results in inaccurate representation of spend when RI's are in play. Does anyone know if this is on the roadmap to be released in Budgets any time soon? In Cost Analysis you can already switch between actual and amortized view but nothing similar in budget configurations yet. Thanks you!Azure Policy - Configure backup on virtual machines with a given tag
I wonder if somebody could sanity check something for me with this please in case it's something I could be missing. We have this existing policy configured in a customers tenant (https://www.azadvertizer.net/azpolicyadvertizer/345fa903-145c-4fe1-8bcd-93ec2adccde8.html After creating a VM and allocating the correct tag etc. it didn't automatically have the backup policy assigned to it. With the policy assignment itself it didn't even appear as a non-compliant resource. I went through the checks to make sure it was the same region, correct tag, correct rsv and policy, which all appeared to look fine. When remediating it still wasn't pulling the resource through. When I went into the definition detail to see what could be amiss, I noticed the list of WindowServer image SKU's that were listed (image attached here https://i.stack.imgur.com/1YPpM.png. As I was sanity checking everything, I looked at the VM to see that the SKU wasn't actually in this list (2019-datacenter-smalldisk-g2). As every SKU is listed specifically it makes me think this image has just been missed off and needs adding? Rather than it getting captured by one of the SKU's listed. I can add the VM manually to the existing RSV for now but for future ref, is there a way I can raise this if my findings are indeed correct?
