I am trying to enable Diagnostic Settings of subscriptions using a custom policy. But, the compliance report always shows 0/0; basically it is not identifying the subscriptions under a management group. To confirm this behavior, I created a custom policy, duplicating the BuiltIn policy "Enable Azure Security Center on your subscription". It is also showing 0/0. Is there any limitation to deploy something using a DeployIfNotExists policy at subscription level?
Azure Policy is capable of deploying resources at the Subscription level. Are you sure that your scope for the Policy Assignment is set at the parent Management group of your Subscriptions?
This should be what you are looking for. There are examples in this directory for creating diagnostic settings for Activity Logs on a Subscription that point to a Storage Account, Log Analytics Workspace, or an Eventhub. Below is a link for a deployIfNotExists policy that points to a Log Analytics Workspace.
https://github.com/Azure/Community-Policy/blob/master/Policies/Monitoring/deploy-diagnostic-setting-for-activity-log-log-analytics/azurepolicy.json
(all credit for this policy to the original author)
Related
I want to first audit (and later enforce) that user names added to a specific AD Group follow certain naming convention. Is this achievable via Azure Policy? It would be straightforward to get such report through scripting, but in our case we want to see clear audit status with Azure policies and eventually prevent them from being added in the first place with Policy deny effect.
No, I believe Azure Policy can only be used on the Azure Resource Manager scope. Azure AD objects like users and groups can't be managed using Azure Policy. So one way to think of it is that if you can deploy something with an ARM template, you can likely govern only those objects using Azure Policy.
The alternative to having nice audit reports for Azure AD stuff would be Azure AD Privileged Identity Management (PIM). It's pretty awesome but I don't think your use case around enforcing and auditing naming conventions of users is supported. Cheers!
At the moment most users are given default roles in Azure such as Contributor or User. We need to prevent this and only allow users to be added only in AD groups. And these groups need to be provided Azure access(IAM). I am thinking of using Azure Policy for this. But cannot find any documentation in this regard.
Unfortunately, as of today (Oct 20, 2020), I do not believe this is possible with policy. It is my understanding that Azure Policy intentionally draws a distinct line between Azure Resources and anything Azure Active Directory or RBAC related. Azure Policy is meant to be agnostic of roles and users with an exception to the roles required to perform a remediation in deployIfNotExists policies.
https://learn.microsoft.com/en-us/azure/governance/policy/overview#azure-policy-and-azure-rbac
I wanted to get all diagnostic settings from azure under my subscription. I want all either enable or disable. I am using the below API but it doesn't help as it required workflow and I don't have workflows.
https://learn.microsoft.com/en-us/rest/api/monitor/diagnosticsettings/list
I modified it and used the below it returns nothing. as on azure I have a total of 8 settings and 1 is enabled and others are disabled.
https://management.azure.com/subscriptions/{subscriptionId}/providers/microsoft.insights/diagnosticSettings?api-version=2017-05-01-preview
I don't think that you will be able to get the diagnostics settings for all the resources in your Azure Subscription in a single API call.
From the documentation link:
Gets the active diagnostic settings list for the specified resource.
The reason you're not getting any results back is because you're trying to get diagnostics settings for your subscription resource and AFAIK there are no diagnostics settings that can be defined at the subscription level.
What you would need to do is list down all the resources in your SUbscription and then for each resource you will need to get diagnostics settings separately.
Team,
I am using the CSP subscription. I need to create a cloud service within the azure portal. But it gave me an red line saying that the "subscription not allowed to register Microsoft.classiccompute".
Is this because its using the CSP subscription ? Is there any workaround ?
I tried to find the "provider to register" to my subscription but cannot be found in the list to register it.
How do we possibly include the provider to my subscription or is it that CSP subscription is not allowed to register?
Do I have to use a Non CSP subscription.? Please help
Azure CSP supports only the Azure Resource Manager model, the cloud service Microsoft.classiccompute is classic deployment model, you need to use another subscription, refer to this link.
For example, because Azure CSP supports only the Azure Resource Manager model, non-Azure Resource Manager services are not available in the program.
I'm using "MSDN Platforms" and "Developer Program Benefit" subscriptions.
I'm unable to access to create resource groups and services in certain locations on a selected subscription either through azure portal or Azure Powershell. Sometimes getting exceptions on quota limits.
How do I check applied policies and/or the user limits on a subscription?
Asking because of the subscription limitations I got error message in the following scenario
Created availability set in southindia location
Trying to deploy a VM in the same location.
How do I check applied policies and/or the user limits on a
subscription?
You could check it on Azure Portal. <your subscription>-->Usage + quotas.
If you reach your subscription limit, you could create a ticket to raise the limit, please refer to this link.
Also, you need check your user's role, if you want to create resources in Azure, I suggest you select Owner or Contributor role. Please refer to this link.
Note: In this link I provide, the application name is your user name.