Use Azure Policy to audit for compliance of minimum TLS version for an Azure Service Bus namespace

If you have a large number of Microsoft Azure Service Bus namespaces, you may want to perform an audit to make sure that all namespaces are configured for the minimum version of TLS that your organization requires. To audit a set of Service Bus namespaces for their compliance, use Azure Policy. Azure Policy is a service that you can use to create, assign, and manage policies that apply rules to Azure resources. Azure Policy helps you to keep those resources compliant with your corporate standards and service level agreements. For more information, see Overview of Azure Policy.

Create a policy with an audit effect

Azure Policy supports effects that determine what happens when a policy rule is evaluated against a resource. The audit effect creates a warning when a resource is not in compliance, but does not stop the request. For more information about effects, see Understand Azure Policy effects.

To create a policy with an audit effect for the minimum TLS version with the Azure portal, follow these steps:

  1. In the Azure portal, navigate to the Azure Policy service.

  2. Under the Authoring section, select Definitions.

  3. Select Add policy definition to create a new policy definition.

  4. For the Definition location field, select the More button to specify where the audit policy resource is located.

  5. Specify a name for the policy. You can optionally specify a description and category.

  6. Under Policy rule , add the following policy definition to the policyRule section.

    {
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "type",
              "equals": "Microsoft.ServiceBus/namespaces"
            },
            {
              "not": {
                "field": "Microsoft.ServiceBus/namespaces/minimumTlsVersion",
                "equals": "1.2"
              }
            }
          ]
        },
        "then": {
          "effect": "audit"
        }
      }
    }
    
  7. Save the policy.

Assign the policy

Next, assign the policy to a resource. The scope of the policy corresponds to that resource and any resources beneath it. For more information on policy assignment, see Azure Policy assignment structure.

To assign the policy with the Azure portal, follow these steps:

  1. In the Azure portal, navigate to the Azure Policy service.
  2. Under the Authoring section, select Assignments.
  3. Select Assign policy to create a new policy assignment.
  4. For the Scope field, select the scope of the policy assignment.
  5. For the Policy definition field, select the More button, then select the policy you defined in the previous section from the list.
  6. Provide a name for the policy assignment. The description is optional.
  7. Leave Policy enforcement set to Enabled. This setting has no effect on the audit policy.
  8. Select Review + create to create the assignment.

View compliance report

After you have assigned the policy, you can view the compliance report. The compliance report for an audit policy provides information on which Service Bus namespaces are not in compliance with the policy. For more information, see Get policy compliance data.

It may take several minutes for the compliance report to become available after the policy assignment is created.

To view the compliance report in the Azure portal, follow these steps:

  1. In the Azure portal, navigate to the Azure Policy service.
  2. Select Compliance.
  3. Filter the results for the name of the policy assignment that you created in the previous step. The report shows how many resources are not in compliance with the policy.
  4. You can drill down into the report for additional details, including a list of Service Bus namespaces that are not in compliance.

Use Azure Policy to enforce the minimum TLS version

Azure Policy supports cloud governance by ensuring that Azure resources adhere to requirements and standards. To enforce a minimum TLS version requirement for the Service Bus namespaces in your organization, you can create a policy that prevents the creation of a new Service Bus namespace that sets the minimum TLS requirement to an older version of TLS than that which is dictated by the policy. This policy will also prevent all configuration changes to an existing namespace if the minimum TLS version setting for that namespace is not compliant with the policy.

The enforcement policy uses the deny effect to prevent a request that would create or modify a Service Bus namespace so that the minimum TLS version no longer adheres to your organization's standards. For more information about effects, see Understand Azure Policy effects.

To create a policy with a deny effect for a minimum TLS version that is less than TLS 1.2, provide the following JSON in the policyRule section of the policy definition:

{
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.ServiceBus/namespaces"
        },
        {
          "not": {
            "field": "Microsoft.ServiceBus/namespaces/minimumTlsVersion",
            "equals": "1.2"
          }
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  }
}

After you create the policy with the deny effect and assign it to a scope, a user cannot create a Service Bus namespace with a minimum TLS version that is older than 1.2. Nor can a user make any configuration changes to an existing Service Bus namespace that currently requires a minimum TLS version that is older than 1.2. Attempting to do so results in an error. The required minimum TLS version for the Service Bus namespace must be set to 1.2 to proceed with namespace creation or configuration.

An error will be shown if you try to create a Service Bus namespace with the minimum TLS version set to TLS 1.0 when a policy with a deny effect requires that the minimum TLS version be set to TLS 1.2.

Next steps

See the following documentation for more information.