Policy to prevent creation of app services without authentication

Richard Misiak 21 Reputation points

I wish to create a policy that will prevent the creation of app services without authentication enabled (just auditing them is not enough).

The following policy can correctly identify existing resources that do not have authentication enabled:

  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
          "field": "Microsoft.Web/sites/config/siteAuthEnabled",
          "equals": "false"
    "then": {
      "effect": "deny"

however it does not prevent them being created in the first place (either via ARM template or through the portal).

I suspect this is because the Microsoft.Web/sites/config resource isn't being explicitly created.

Does anyone know if this is possible?

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
754 questions
0 comments No comments
{count} votes

0 additional answers

Sort by: Most helpful