Azure Policy built-in definitions for Data Factory
APPLIES TO: Azure Data Factory Azure Synapse Analytics
Try out Data Factory in Microsoft Fabric, an all-in-one analytics solution for enterprises. Microsoft Fabric covers everything from data movement to data science, real-time analytics, business intelligence, and reporting. Learn how to start a new trial for free!
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
|[Preview]: Azure Data Factory pipelines should only communicate with allowed domains||To prevent data & token exfiltration, set the domains that Azure Data Factory should be allowed to communicate with. Note: While in public preview, the compliance for this policy is not reported, & for policy to be applied to Data Factory, please enable outbound rules functionality in the ADF studio. For more information, visit https://aka.ms/data-exfiltration-policy.||Deny, Disabled||1.0.0-preview|
|Azure data factories should be encrypted with a customer-managed key||Use customer-managed keys to manage the encryption at rest of your Azure Data Factory. By default, customer data is encrypted with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more at https://aka.ms/adf-cmk.||Audit, Deny, Disabled||1.0.1|
|Azure Data Factory integration runtime should have a limit for number of cores||To manage your resources and costs, limit the number of cores for an integration runtime.||Audit, Deny, Disabled||1.0.0|
|Azure Data Factory linked service resource type should be in allow list||Define the allow list of Azure Data Factory linked service types. Restricting allowed resource types enables control over the boundary of data movement. For example, restrict a scope to only allow blob storage with Data Lake Storage Gen1 and Gen2 for analytics or a scope to only allow SQL and Kusto access for real-time queries.||Audit, Deny, Disabled||1.1.0|
|Azure Data Factory linked services should use Key Vault for storing secrets||To ensure secrets (such as connection strings) are managed securely, require users to provide secrets using an Azure Key Vault instead of specifying them inline in linked services.||Audit, Deny, Disabled||1.0.0|
|Azure Data Factory linked services should use system-assigned managed identity authentication when it is supported||Using system-assigned managed identity when communicating with data stores via linked services avoids the use of less secured credentials such as passwords or connection strings.||Audit, Deny, Disabled||2.1.0|
|Azure Data Factory should use a Git repository for source control||Configure only your development data factory with Git integration. Changes to test and production should be deployed via CI/CD and should NOT have Git integration. DO NOT apply this policy on your QA / Test / Production data factories.||Audit, Deny, Disabled||1.0.1|
|Azure Data Factory should use private link||Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to Azure Data Factory, data leakage risks are reduced. Learn more about private links at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.||AuditIfNotExists, Disabled||1.0.0|
|Configure Data Factories to disable public network access||Disable public network access for your Data Factory so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.||Modify, Disabled||1.0.0|
|Configure private endpoints for Data factories||Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Data Factory, you can reduce data leakage risks. Learn more at: https://docs.microsoft.com/azure/data-factory/data-factory-private-link.||DeployIfNotExists, Disabled||1.1.0|
|Public network access on Azure Data Factory should be disabled||Disabling the public network access property improves security by ensuring your Azure Data Factory can only be accessed from a private endpoint.||Audit, Deny, Disabled||1.0.0|
|SQL Server Integration Services integration runtimes on Azure Data Factory should be joined to a virtual network||Azure Virtual Network deployment provides enhanced security and isolation for your SQL Server Integration Services integration runtimes on Azure Data Factory, as well as subnets, access control policies, and other features to further restrict access.||Audit, Deny, Disabled||2.2.0|