Azure Policy built-in definitions for Microsoft Entra Domain Services
This page is an index of Azure Policy built-in policy definitions for Microsoft Entra Domain Services. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Microsoft Entra admin center. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Microsoft Entra Domain Services
Name (Azure portal) |
Description | Effect(s) | Version (GitHub) |
---|---|---|---|
Microsoft Entra Domain Services managed domains should use TLS 1.2 only mode | Use TLS 1.2 only mode for your managed domains. By default, Microsoft Entra Domain Services enables the use of ciphers such as NTLM v1 and TLS v1. These ciphers may be required for some legacy applications, but are considered weak and can be disabled if you don't need them. When TLS 1.2 only mode is enabled, any client making a request that is not using TLS 1.2 will fail. Learn more at Harden a Microsoft Entra Domain Services managed domain. | Audit, Deny, Disabled | 1.1.0 |
Microsoft Entra ID should use private link to access Azure services. | Azure Private Link lets you connect your virtual networks to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Microsoft Entra ID, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). | AuditIfNotExists, Disabled | 1.0.0 |
Configure Private Link for Microsoft Entra ID with private endpoints | Private endpoints connect your virtual networks to Azure services without a public IP address at the source or destination. By mapping private endpoints to Microsoft Entra ID, you can reduce data leakage risks. Learn more at: https://aka.ms/privateLinkforAzureADDocs. It should be only used from isolated VNETs to Azure services, with no access to the Internet or other services (M365). | DeployIfNotExists, Disabled | 1.0.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.