Custom Azure policy "Logic apps should use the latest TLS version"

Kym Caris Natividad 20 Reputation points
2024-04-18T14:01:57.9766667+00:00

Hello, I need to create a custom policy for Logic Apps. There is already a built-in policy in Azure for App service and Function apps.

App service (App Service apps should use the latest TLS version) -

Definition ID: /providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b

Function app (Function apps should use the latest TLS version) -

Definition ID: /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193

Was wondering if the same can be done for Logic Apps? I've done some research already but cannot find any info regarding this so I'm not sure if this was possible.

Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
2,890 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
803 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Alex Burlachenko 810 Reputation points
    2024-04-18T14:26:23.5433333+00:00

    Yes, you can create a custom policy for Azure Logic Apps.

    Azure Policy allows you to define your own rules for using Azure, which can enforce security practices, cost management, and organization-specific rules.

    Identify your business requirements: Define the expected state of the resource and what you want done with non-compliant resources.

    Map each requirement to an Azure resource property: Determine the properties for an Azure resource.

    Map the property to an alias: This is used in the policy definition.

    Determine which effect to use: Azure Policy supports many effects.

    Compose the policy definition: Create the policy definition based on the above steps.

    Please note that there are also built-in policy definitions for Azure Logic Apps.

    You might want to check these built-in policies to see if they meet your needs before creating a custom policy.

    0 comments No comments

  2. SwathiDhanwada-MSFT 17,881 Reputation points
    2024-04-19T12:45:58.97+00:00

    @Kym Caris Natividad As far as I know, you cannot create custom policy for the scenario you mentioned as there are no ARM properties that can set TLS directly.

    You can secure the logic apps to use latest TLS version by following the ways mentioned in this document.

    0 comments No comments

  3. Prashant Kumar 75 Reputation points Microsoft Employee
    2024-04-19T14:46:34.2766667+00:00

    Hi Kym,

    You can try updating the built-in policy if you want to Audit the resources for TLS version: Function app (Function apps should use the latest TLS version) -

    Definition ID: /providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193

    update the policy IF block with the code below.

    kind for logic app is "functionapp,workflowapp"

    "policyRule": {

      "if": {
    
        "allOf": [
    
          {
    
            "field": "type",
    
            "equals": "Microsoft.Web/sites"
    
          },
    
          {
    
            "field": "kind",
    
            "contains": "functionapp,workflowapp",
    
          }
    
        ]
    
      },
    
    0 comments No comments