Skip to content

Latest commit

 

History

History

azure_policy_audit

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
CHANGELOG.md
CHANGELOG.md
 
 
README.md
README.md
 
 
azure_policy_audit.pt
azure_policy_audit.pt
 
 
azure_policy_audit_meta_parent.pt
azure_policy_audit_meta_parent.pt
 
 

README.md

Azure Policy Audit

What It Does

This policy checks to see if a list of user-specified Azure Policies exist in each Azure Subscription. An incident is raised with a list of all checked Azure Policies and whether or not they exist. Optionally, an email is sent with this information.

How It Works

  • The policy leverages the Azure Resource Manager API to check for assigned policies in all subscriptions the service principal has access to.
  • Assigned policies are compared against the list of policies provided.
  • An email is sent with details on which policies are assigned and not assigned to each subscription.

Input Parameters

  • Email Addresses - Email addresses of the recipients you wish to notify when new incidents are created.
  • Azure Endpoint - The endpoint to send Azure API requests to. Recommended to leave this at default unless using this policy with Azure China.
  • Allow/Deny Subscriptions - Determines whether the Allow/Deny Subscriptions List parameter functions as an allow list (only providing results for the listed subscriptions) or a deny list (providing results for all subscriptions except for the listed subscriptions).
  • Allow/Deny Subscriptions List - A list of allowed or denied Subscription IDs/names. If empty, no filtering will occur and recommendations will be produced for all subscriptions.
  • Policy Names - List of Azure Policy names to check.

Policy Actions

  • Sends an email notification

Prerequisites

This Policy Template uses Credentials for authenticating to datasources -- in order to apply this policy you must have a Credential registered in the system that is compatible with this policy. If there are no Credentials listed when you apply the policy, please contact your Flexera Org Admin and ask them to register a Credential that is compatible with this policy. The information below should be consulted when creating the credential(s).

Credential configuration

For administrators creating and managing credentials to use with this policy, the following information is needed:

  • Azure Resource Manager Credential (provider=azure_rm) which has the following permissions:

    • Microsoft.Authorization/policyAssignments/read
    • Microsoft.Authorization/policyDefinitions/read

  • Flexera Credential (provider=flexera) which has the following roles:

    • billing_center_viewer

The Provider-Specific Credentials page in the docs has detailed instructions for setting up Credentials for the most common providers.

Supported Clouds

  • Azure

Cost

This Policy Template does not incur any cloud costs