Getting an syntax error when I want to create a policy definition with Azure CLI in on Windows
I'm quite new in Azure Cloud. I'm getting an syntax error when I want to create a policy definition with Azure CLI in on Windows: az policy definition create --name 'denyCoolTiering' --description ' Deny cool access tiering for storage' --rules…
VM Extension Tagging
Is it possible to create a policy to tag VM extensions via inherit tags from resource group policy?
Azure APIM Developer Portal - Need help with handling CORS errors
Hello, I'm trying to test an API operation, but when I provide an invalid subscription key, the error message returned is related to CORS rather than an invalid subscription error message. However, I receive a success response when using a valid…
How to mask or hide OCP apim subscription key from being displayed in azure portal
Can we hide/mask OCP apim subscription key which is called from KeyVault to display in azure portal apim policies.
Is it possible to use Azure Policy to apply CanNotDelete locks at resource level?
I am trying to use Azure Policy to track compliance of resources with or without locks on and if a resource doesn't have a lock on, then apply the lock. I have been able to get Azure Policy to apply CanNotDelete locks at the ResourceGroup level, however…
Authorization error from deploying management group to tenant using az cli with owner/contributor role.
Below is the error I got trying to deploy new management group. I have contributor role on my service principle. {"code": "AuthorizationFailed", "message": "The client '' with object id '' does not have…
We have a case where we are trying to fetch the calendar events using the getSchedule api, where we are using the client credentials flow and given the access policy to the mail-enabled security group with the user in the shared maill box
we are trying to use the client credentials flow token to fetch the free busy events of the users so we have given the application access policy to the mail-enabled security group with a single-user email which is a shared email so when we try…
Can we know the region of the Peered Vnet using Azure Polcies
Can we know the region of the Peered Vnet using Azure Polcies for eg there is a vnet named demo_vnet which is peered with another vnet named as shared_vnet present in a different subscription and i want to know the region of the shared_vnet, can i find…
Confused with Module 3 - Policy Management at https://github.com/Azure/Microsoft-Defender-for-Cloud/blob/main/Onboarding/Modules/3-Policy-Management.md#step-3---assign-and-customize-the-mdc-default-policy
Hi, I am reading the onboarding process and reached module 3 at https://github.com/Azure/Microsoft-Defender-for-Cloud/blob/main/Onboarding/Modules/3-Policy-Management.md#step-3---assign-and-customize-the-mdc-default-policy I have already activated all…
Assistance with nsg rule azure policy
Hello, I am having trouble creating an azure policy that adds and modifies default nsg rules if they do not match what is defined in the policy using the deployIfNotExists effect.. I am getting the error that the "deployment definition is…
Custom Azure policy "Logic apps should use the latest TLS version"
Hello, I need to create a custom policy for Logic Apps. There is already a built-in policy in Azure for App service and Function apps. App service (App Service apps should use the latest TLS version) - Definition ID:…
Applying azure PCI DSS4 regulatory complaince policy for passwords
Hi, I am trying to assign PCI DSS4 Defender for cloud regulatory compliance policy for passwords - Audit Windows machines that allow re-use of the passwords after the specified number of unique passwords- where count is 24 Audit Windows machines that…
Azure policy for auditing trial subscriptions
My team is trying to create an audit effect Azure policy to audit any trial subscriptions. The goal of our policy is to show all the trial subscriptions as non-compliant. Below is the JSON template we were able to come up with. We are testing for…
I am uanble to upgrade my account because my billing access was changed automatically by Azure
Recently my account was disabled. I would like to find out how to enable it and upgrade it. Its not letting me upgrade.
Setting up Azure Firewall for network perimeter
How can I set up Azure Firewall for better security and at more of the resource group level? I already have a network security group (NSG) set up with IP whitelisting for an exposed endpoint, but I'm not sure how to connect the filtered traffic to the…
How to restrict users from deploying the resources in a RG when a specified tag is applied to that RG?
I already know how to deny resource deployment when a specific tag is missing using Azure custom policies. Now, I'm interested in creating a custom policy that prevents users from deploying resources in a resource group if a particular tag exists for…
I am working on azure policy where an alert will be generated if a RBAC role is assigned with a blob data action permissions on a storage account. Can anyone please help in correcting the code I have written.
{ "mode": "All", "policyType": "Custom", "displayName": "Audit Creation of RBAC Roles for Storage Accounts", "description": "This policy audits any new or updated RBAC…
Create VM issue with Not allowed resource types - virtualNetwork
If I apply a new Azure policy to the management group which has been associate to the subscription. There is a configuration for "Not allowed resource types" with virtualNetwork. Could I create the new VM to existing VNet? Because we have…
Find the resources which are untagged / not having any Tags in a Subscription
How to find all the resources which are Untagged / Not having any tags in a subscription Via PowerShell Script or Policies
How to exempt a particular Service Principal (SPN) / App registration from the denial actions enforced by a Azure custom policy
Hello, I've implemented a deny policy to prevent end users from deploying unauthorized resources. However, this policy is also affecting the automation within the service principal's account. Now, I want to find a way so that it should allow this…