Azure Policy built-in definitions for Azure API for FHIR
Important
Azure API for FHIR will be retired on September 30, 2026. Follow the migration strategies to transition to Azure Health Data Services FHIR® service by that date. Due to the retirement of Azure API for FHIR, new deployments won't be allowed beginning April 1, 2025. Azure Health Data Services FHIR service is the evolved version of Azure API for FHIR that enables customers to manage FHIR, DICOM, and MedTech services with integrations into other Azure services.
This page is an index of Azure Policy built-in policy definitions for Azure API for FHIR®. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.
The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.
Azure API for FHIR
| Name (Azure portal) |
Description | Effects | Version (GitHub) |
|---|---|---|---|
| Azure API for FHIR should use a customer-managed key to encrypt data at rest | Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default performed with service-managed keys. | audit, Audit, disabled, Disabled | 1.1.0 |
| Azure API for FHIR should use private link | Azure API for FHIR should have at least one approved private endpoint connection. Clients in a virtual network can securely access resources that have private endpoint connections through private links. For more information, visit: https://aka.ms/fhir-privatelink. | Audit, Disabled | 1.0.0 |
| CORS shouldn't allow every domain to access your API for FHIR | Cross-Origin Resource Sharing (CORS) shouldn't allow all domains to access your API for FHIR. To protect your API for FHIR, remove access for all domains and explicitly define the domains allowed to connect. | audit, Audit, disabled, Disabled | 1.1.0 |
Next steps
- See the built-ins on the Azure Policy GitHub repo.
- Review the Azure Policy definition structure.
- Review Understanding policy effects.
Note
FHIR® is a registered trademark of HL7 and is used with the permission of HL7.