Deny Security Rules deletion
Hi, I'm trying to create a policy which prevents users from making any creation/modification/deletion of priority 100 NSG security rule. I;ve create policy as below. While it prevents creation/modification of priority 100 rule, it still allows user to delete it. Is deletion not covered under deny policy. Do we have any MS doc which says that. If not, is there anything that needs to be added, to prevent deletion. { "mode": "All", "policyRule": { "if": { "allof": [ { "field": "type", "equals": "Microsoft.Network/networkSecurityGroups/securityRules" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/priority", "equals": 100 } ] }, "then": { "effect": "deny" } }, "parameters": {} } I've also tried "Microsoft.Network/networkSecurityGroups/securityRules/*" - doesnt work.How to create an action group in each subscription?
Hi all, I have been tasked to create an https://azure.microsoft.com/en-us/updates/azure-advisor-recommendation-digests-now-availab/ which would send an email to the subscription owner every 30 days with Azure Advisor digest. I have tens of subscriptions under different management groups. The first task is to create an Action Group for each subscription. I am thinking of using Azure Policy on the top management group level to create an AG for each sub. Where can I find a template for the action group creation policy definition? I have below one I tried to convert from network watcher but it is missing so many fields that I am sure I am nowhere close to it. Maybe using Blueprints is a better way of achieving this? Any ideas? { "properties": { "displayName": "Deploy Action Group for each subscription", "mode": "Indexed", "description": "This policy deploys Action Group for a subscription if it doesn't exists.", "metadata": { "category": "Monitor" }, "parameters": {}, "policyRule": { "if": { "field": "type", "equals": "Microsoft.Insights/actiongroups" }, "then": { "effect": "DeployIfNotExists", "details": { "type": "Microsoft.Insights/actiongroups", "resourceGroupName": "rg-actiongroups", "existenceCondition": { "field": "location", "equals": "[field('location')]" }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7" ], "deployment": { "properties": { "mode": "incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", "contentVersion": "1.0.0.0", "parameters": { "location": { "type": "string" } }, "resources": [{ "apiVersion": "2016-09-01", "type": "Microsoft.Insights/actiongroups", "name": "[concat('actiongroup_',parameters('subscription')),parameters('location'))]", "location": "[parameters('location')]" }] }, "parameters": { "location": { "value": "[field('location')]" } } } } } } } } }
