Azure Policy - Configure backup on virtual machines with a given tag
I wonder if somebody could sanity check something for me with this please in case it's something I could be missing. We have this existing policy configured in a customers tenant (https://www.azadvertizer.net/azpolicyadvertizer/345fa903-145c-4fe1-8bcd-93ec2adccde8.html After creating a VM and allocating the correct tag etc. it didn't automatically have the backup policy assigned to it. With the policy assignment itself it didn't even appear as a non-compliant resource. I went through the checks to make sure it was the same region, correct tag, correct rsv and policy, which all appeared to look fine. When remediating it still wasn't pulling the resource through. When I went into the definition detail to see what could be amiss, I noticed the list of WindowServer image SKU's that were listed (image attached here https://i.stack.imgur.com/1YPpM.png. As I was sanity checking everything, I looked at the VM to see that the SKU wasn't actually in this list (2019-datacenter-smalldisk-g2). As every SKU is listed specifically it makes me think this image has just been missed off and needs adding? Rather than it getting captured by one of the SKU's listed. I can add the VM manually to the existing RSV for now but for future ref, is there a way I can raise this if my findings are indeed correct?Experience with Automanage Machine Configuration
Hi, I am experimenting with Automanage Machine Configuration and find the overall experience and documentation very poor. I am wondering if there are others who have experience with automanage and can point me towards additional documentation. I have built an example implementation which I am using as my lab setup: https://github.com/JelleBroekhuijsen/azure-automanage-example What I am experiencing is that the compliance-state reporting seems to be very inconsistent. Sometimes these sample configurations reports everything being compliant while maybe 30 minutes later the same configuration is marked as incompliant (while the VM is observably in a compliant state). Additionally, there seems to be no option to get support or report issues with the GuestConfiguration-extension (for Windows) or the GuestConfiguration PowerShell module. For instance, in my experimenting with the module I found that calling the PackageManagement DSC resource from within a configuration leads to a conflict with the embedded PackageManagement module in the windows extension. I found a workaround for this, but I have no way to report this issue.
Misplacement of schema in AllowedHostPathVolumesInKubernetesClusterList Policy Parameter?
In the Microsoft Cloud Security Benchmark, the policy parameter `AllowedHostPathVolumesInKubernetesClusterList` defines a `schema` object nested under metadata. Is this placement intentional, or should the schema be defined at the top level of the parameter https://github.com/Azure/azure-policy/blob/303a0000a3b9d1aed7361c69edaafd4340d37df7/built-in-policies/policySetDefinitions/Azure%20Government/Security%20Center/AzureSecurityCenter.json#L4132Script or Query for Management Group Compliance Statistics
I've been trying to reproduce the Azure Portal Compliance statistics for a Management Group in a PowerShell script or Resource Graph query without much luck. What I'd like to do is reproduce the numbers like compliance percentage, number of compliant / non-compliant resources, in the portal display. And run a daily script or query to track the numbers over time. (Without doing screen shots every day.) Just to be clear, I've attached a screenshot of a compliance screen for management group TEST1. I want to automate calculation of the Overall Resource Compliance (46%, 317 out of 692), and the policies/initiatives compliance state and resource compliance percentages at the bottom of the screen. I'm only interested in the resource compliance percentages below a threshold like 90% in order to help guide our remediation efforts. I've found several scripts and resource graph queries online but none seem to address management group scope. And even the ones that produce numbers for subscription scope don't seem to match the portal numbers. Has anyone successfully reproduced the portal MG compliance numbers with a script or quiery? Or, is it possible to obtain the logic behind the portals' MG scope compliance code? Seems like we should be able to reproduce the numbers shown by the console. Thanks.
Restrict Cost Consumption by using Azure Automation, Budget and Policy
Video See the demo video by using below link Demonstration Video Automation Runbook Logic Logic which set tag value once threshold exceeds # Authenticate using Managed Identity (recommended for Automation Accounts) Connect-AzAccount -Identity # Define Subscription ID and Reset Tag $subscriptionId = (Get-AzContext).Subscription.Id $tags = @{ "cost exceeded" = "yes" } # Resetting the tag value # Update the tag Update-AzTag -ResourceId "/subscriptions/$subscriptionId" -Tag $tags -Operation Merge Write-Output "Tag 'cost exceeded' reset to 'yes' for subscription $subscriptionId" Logic which reset tag value every month # Authenticate using Managed Identity (recommended for Automation Accounts) Connect-AzAccount -Identity # Define Subscription ID and Reset Tag $subscriptionId = (Get-AzContext).Subscription.Id $tags = @{ "cost exceeded" = "no" } # Resetting the tag value # Update the tag Update-AzTag -ResourceId "/subscriptions/$subscriptionId" -Tag $tags -Operation Merge Write-Output "Tag 'cost exceeded' reset to 'no' for subscription $subscriptionId" Azure Policy Logic { "properties": { "displayName": "budget", "policyType": "Custom", "mode": "All", "metadata": { "version": "1.0.0", "createdBy": "f6bb4303-e52d-4cba-9790-01f0798164b7", "createdOn": "2025-03-13T05:08:05.8483517Z", "updatedBy": "f6bb4303-e52d-4cba-9790-01f0798164b7", "updatedOn": "2025-03-13T06:32:35.1740944Z" }, "version": "1.0.0", "parameters": {}, "policyRule": { "if": { "allOf": [ { "field": "type", "notEquals": "Microsoft.Resources/subscriptions" }, { "value": "[subscription().tags['cost exceeded']]", "equals": "yes" } ] }, "then": { "effect": "Deny" } }, "versions": [ "1.0.0" ] }, }Adding VM Instance View Details, e.g. osName, to the VM Resource Object JSON (for Custom Policy Use)
I'm requesting to add more details to the JSON of the VM resource object, particularly from the VM instance view data. This is to include operating system information, such as the name and version (osName and osVersion), for use in a custom Policy. Although these details are visible in the portal, they're not present in the VM's resource object, which is necessary for our custom policy.Azure Policy - Seeking Guidance: Adding "Destination Table" to Built-In Azure Policy
Hi Team, I am sharing the existing Built-In Azure Policy that previously sent logs to Log Analytics Workspace. However, it currently lacks the option to choose "Destination Table" with selections such as "Azure Diagnostics" or "Resource Specific." I would like to include this option in the policy. Could you please advise on how to achieve this? Built-in Policy Name : Enable logging by category group for Application gateways (microsoft.network/applicationgateways) to Log Analytics Policy Code { "mode": "Indexed", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "microsoft.network/applicationgateways" }, { "anyOf": [ { "value": "[first(parameters('resourceLocationList'))]", "equals": "*" }, { "field": "location", "in": "[parameters('resourceLocationList')]" } ] } ] }, "then": { "effect": "[parameters('effect')]", "details": { "type": "Microsoft.Insights/diagnosticSettings", "evaluationDelay": "AfterProvisioning", "existenceCondition": { "allOf": [ { "count": { "field": "Microsoft.Insights/diagnosticSettings/logs[*]", "where": { "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", "equals": "[equals(parameters('categoryGroup'), 'allLogs')]" }, { "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", "equals": "allLogs" } ] } }, "equals": 1 }, { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", "equals": "[parameters('logAnalytics')]" } ] }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" ], "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "diagnosticSettingName": { "type": "string" }, "logAnalytics": { "type": "string" }, "categoryGroup": { "type": "String" }, "resourceName": { "type": "string" } }, "variables": {}, "resources": [ { "type": "microsoft.network/applicationgateways/providers/diagnosticSettings", "apiVersion": "2021-05-01-preview", "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]", "properties": { "workspaceId": "[parameters('logAnalytics')]", "logs": [ { "categoryGroup": "allLogs", "enabled": "[equals(parameters('categoryGroup'), 'allLogs')]" } ], "metrics": [] } } ], "outputs": { "policy": { "type": "string", "value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Application gateways (microsoft.network/applicationgateways), resourceName ', parameters('resourceName'), ' to Log Analytics ', parameters('logAnalytics'), ' configured')]" } } }, "parameters": { "diagnosticSettingName": { "value": "[parameters('diagnosticSettingName')]" }, "logAnalytics": { "value": "[parameters('logAnalytics')]" }, "categoryGroup": { "value": "[parameters('categoryGroup')]" }, "resourceName": { "value": "[field('name')]" } } } } } } }, "parameters": { "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Enable or disable the execution of the policy" }, "allowedValues": [ "DeployIfNotExists", "AuditIfNotExists", "Disabled" ], "defaultValue": "DeployIfNotExists" }, "diagnosticSettingName": { "type": "String", "metadata": { "displayName": "Diagnostic Setting Name", "description": "Diagnostic Setting Name" }, "defaultValue": "setByPolicy-LogAnalytics" }, "categoryGroup": { "type": "String", "metadata": { "displayName": "Category Group", "description": "Diagnostic category group - none, audit, or allLogs." }, "allowedValues": [ "audit", "allLogs" ], "defaultValue": "audit" }, "resourceLocationList": { "type": "Array", "metadata": { "displayName": "Resource Location List", "description": "Resource Location List to send logs to nearby Log Analytics. A single entry \"*\" selects all locations (default)." }, "defaultValue": [ "*" ] }, "logAnalytics": { "type": "String", "metadata": { "displayName": "Log Analytics Workspace", "description": "Log Analytics Workspace", "strongType": "omsWorkspace", "assignPermissions": true } } } }
Azure Policy require multiple tags with values
I have a policy that requires specific tag with specific values (json below), but I want to require more tags within the same policy also with specific value and not sure how to do it... Is there a way to add more tags with specific values to the same policy? For example, I want to require two tags: environment with prod/non-prod and department with Infra/Finance Is it possible? Thank you! { "properties": { "displayName": "Require tag environment and its values on resources ", "policyType": "Custom", "mode": "Indexed", "description": "Enforces a required tag environment and its value. Does not apply to resource groups.", "metadata": { "category": "Tags", "createdBy": "" "createdOn": "" "updatedBy": "" "updatedOn": "" }, "version": "1.0.0", "parameters": { "tagName": { "type": "String", "metadata": { "displayName": "Tag Name1", "description": "Name of the tag, such as 'environment'" }, "allowedValues": [ "environment" ] }, "tagValue": { "type": "Array", "metadata": { "displayName": "Tag Value1", "description": "Value of the tag, such as 'production'" }, "allowedValues": [ "prod", "non-prod" ] } }, "policyRule": { "if": { "not": { "field": "[concat('tags[', parameters('tagName'), ']')]", "in": "[parameters('tagValue')]" } }, "then": { "effect": "deny" } }, "versions": [ "1.0.0" ] }, } }
Microsoft Cloud Security Benchmark policies not reporting in Defender for Cloud
We enable the MCSB security policy at our tenant level and manage compliance via Defender for Cloud. However, I have found that some of the policies are listed are not showing in the Defender for Cloud recommendations. For example, the policy "Azure SQL Managed Instance should have Microsoft Entra-only authentication enabled" is visible via Defender for Cloud>Environment Settings>Security Policies>MCSB and is linked to Policy Id 0c28c3fb-c244-42d5-a9bf-f35f2999577b. Within Azure Policy Compliance, I can find the policy in the assignment for MCSB and it reports both compliant and non-compliant resources in my tenant. However, there is nothing reported in Defender for Cloud for the policy under the Recommendations>All Recommendations. I have checked the filters applied and know it should be there - the similar policy is showing correctly (named "Azure SQL Managed Instance authentication mode should be Azure Active Directory Only" in the recommendation and security policies, and named "Azure SQL Managed Instances should have Microsoft Entra-only authentication enabled during creation" in Azure Policy - 78215662-041e-49ed-a9dd-5385911b3a1f). Any suggestions on what could be causing this behaviour ? Regards DominicHow to get Policy "Windows VMs should enable ADE or EncryptionAtHost." to be compliant?
Advisor noticed that Azure Disk Encryption is missing on my VMs and gave me the following recommendation: "Windows virtual machines should enable Azure Disk Encryption or EncryptionAtHost." A couple of weeks ago I installed the AzurePolicyforWindows extension on one of the machines. Its status changed to compliant. Two days ago, I did the same for all other VMs but their statuses haven't changed. Am I missing something or are the policies messing with me?
