Azure Policy built-in definitions for Azure RBAC

This page is an index of Azure Policy built-in policy definitions for Azure RBAC. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in the Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Azure RBAC

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling Audit, Disabled 1.0.1
Exclude Usage Costs Resources This policy enables you to exlcude Usage Costs Resources. Usage costs include things like metered storage and Azure resources which are billed based on usage. Audit, Deny, Disabled 1.0.0
SQL server-targeted autoprovisioning should be enabled for SQL servers on machines plan To ensure your SQL VMs and Arc-enabled SQL Servers are protected, ensure the SQL-targeted Azure Monitoring Agent is configured to automatically deploy. This is also necessary if you've previously configured autoprovisioning of the Microsoft Monitoring Agent, as that component is being deprecated. Learn more: https://aka.ms/SQLAMAMigration AuditIfNotExists, Disabled 1.0.0

Next steps