How to reference soft delete setting on recovery vaults in Azure policy

G. Garber 0 Reputation points
2023-05-01T14:28:43.4766667+00:00

Anyone know if there's a way to build an Azure policy to audit whether the soft delete option is enabled for recovery services vaults? I see a template for backup vaults and tried to change it but it didn't work. I get this error:

The 'field' property 'Microsoft.RecoveryServices/vaults/securitySettings.SoftDeleteFeatureState.state' of the policy rule doesn't exist as an alias under provider 'Microsoft.RecoveryServices' and resource type 'vaults'.

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
867 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Monalla-MSFT 12,861 Reputation points
    2023-05-01T19:27:47.0533333+00:00

    @G. Garber - Welcome to Microsoft Q&A and thanks for reaching out to us.

    Yes, you can create an Azure Policy to audit whether the soft delete option is enabled for Recovery Services Vaults. Here are the steps to create the policy:

    1. In the Azure portal, go to the "Policy" service.
    2. Click on "Definitions" in the left-hand menu.
    3. Click on "Add" to create a new policy definition.
    4. Enter a name and description for the policy definition.
    5. Under "Policy rule", click on "Edit".
    6. Enter the following JSON code to define the policy rule:
    {
        "if": {
            "allOf": [
                {
                    "field": "type",
                    "equals": "Microsoft.RecoveryServices/vaults"
                },
                {
                    "not": {
                        "field": "properties.softDeleteFeatureState",
                        "equals": "Enabled"
                    }
                }
            ]
        },
        "then": {
            "effect": "audit"
        }
    }
    

    You can assign this policy to a scope, such as a management group or subscription, to enforce the policy across your Azure environment.

    Hope this helps. and please feel free to reach out if you have any further questions.


    If the above response was helpful, please feel free to "Accept as Answer" and click "Yes" so it can be beneficial to the community.


  2. G. Garber 0 Reputation points
    2023-05-02T17:09:11.7133333+00:00
    After running (Get-AzPolicyAlias -NamespaceMatch 'Microsoft.RecoveryServices').Aliases.Name
    and looking through the output, I finally found the field names to reference:
    
    
    			 "allOf": [
                  {
                    "field": "type",
                    "equals": "Microsoft.RecoveryServices/vaults/backupconfig"
                  },
                  {
                    "field": "Microsoft.RecoveryServices/vaults/backupconfig/softDeleteFeatureState",
                    "Equals": false
                  }
                ]
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.