Name	Name	Last commit message	Last commit date
parent directory ..
Automation	Automation
Compute	Compute
General	General
Guest Configuration	Guest Configuration
Monitoring	Monitoring
Network	Network
Security Center	Security Center
Storage	Storage
Tags	Tags
README.md	README.md

Custom Policy Definition Library

Compile time: 09/30/2022 15:20:06 UTC Example custom definitions located in the local library

Definitions

Automation

📜 onboard_to_automation_dsc_linux

Title	Description
Name	onboard_to_automation_dsc_linux
DisplayName	Onboard Azure VM and Arc connected Linux machines to Azure Automation DSC
Description	Deploys the DSC extension to onboard Linux nodes to Azure Automation DSC. Assigns a configuration.
Version	2.0.0
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
automationAccountId	Automation Account Id. If this account is outside of the scope of the assignment you must manually grant 'Contributor' permissions (or similar) on the Automation account to the policy assignment's principal ID.
nxNodeConfigurationName	Specifies the node configuration in the Automation account to assign to the node. NOTE: will auto-suffix '.localhost'.
nodeConfigurationMode	Specifies the mode for LCM. Valid options include ApplyOnly, ApplyandMonitor, and ApplyandAutoCorrect. The default value is ApplyAndAutoCorrect.	ApplyAndAutoCorrect	ApplyAndAutoCorrect applyAndMonitor ApplyOnly
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 onboard_to_automation_dsc_windows

Title	Description
Name	onboard_to_automation_dsc_windows
DisplayName	Onboard Azure VM and Arc connected Windows machines to Azure Automation DSC
Description	Deploys the DSC extension to onboard Windows nodes to Azure Automation DSC. Assigns a configuration.
Version	2.0.0
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
automationAccountId	Automation Account Id. If this account is outside of the scope of the assignment you must manually grant 'Contributor' permissions (or similar) on the Automation account to the policy assignment's principal ID.
nodeConfigurationName	Specifies the node configuration in the Automation account to assign to the node. NOTE: will auto-suffix '.localhost'.
nodeConfigurationMode	Specifies the mode for LCM. Valid options include ApplyOnly, ApplyandMonitor, and ApplyandAutoCorrect. The default value is ApplyAndAutoCorrect.	ApplyAndAutoCorrect	ApplyAndAutoCorrect applyAndMonitor ApplyOnly
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

Compute

📜 deploy_linux_lad_vm_agent

Title	Description
Name	deploy_linux_lad_vm_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
diagnosticsStorageAccountName	The Storage Account Id to send diagnostic logs
diagnosticsStorageAccountSas	The Storage Account SAS Token to send diagnostic logs
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 deploy_linux_lad_vmss_agent

Title	Description
Name	deploy_linux_lad_vmss_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
diagnosticsStorageAccountName	The Storage Account Id to send diagnostic logs
diagnosticsStorageAccountSas	The Storage Account SAS Token to send diagnostic logs
eventHubUrl	The EventHub Url to stream diagnostic logs to. e.g. https://myeventhub-ns.servicebus.windows.net/diageventhub
eventHubSASToken	The Event Hub Shared Access Token
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 deploy_linux_log_analytics_vm_agent

Title	Description
Name	deploy_linux_log_analytics_vm_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
workspaceId	Specify the Log Analytics Workspace Id the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 deploy_linux_log_analytics_vmss_agent

Title	Description
Name	deploy_linux_log_analytics_vmss_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
workspaceId	Specify the Log Analytics Workspace Id the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 deploy_windows_log_analytics_vm_agent

Title	Description
Name	deploy_windows_log_analytics_vm_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
workspaceId	Specify the Log Analytics Workspace Id the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 deploy_windows_log_analytics_vmss_agent

Title	Description
Name	deploy_windows_log_analytics_vmss_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
workspaceId	Specify the Log Analytics Workspace Id the agent should be connected to. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 deploy_windows_wad_vm_agent

Title	Description
Name	deploy_windows_wad_vm_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
diagnosticsStorageAccountName	The Storage Account Id to send diagnostic logs
diagnosticsStorageAccountId	The Storage Account Id to send diagnostic logs
eventHubSharedAccessKeyId	The Event Hub Shared Access Key Key Resource Id.
eventHubSharedAccessKeyName	The Event Hub Shared Access Key Name. Defaults to the Root Key	RootManageSharedAccessKey
eventHubUrl	The EventHub Url to stream diagnostic logs to. e.g. https://myeventhub-ns.servicebus.windows.net/diageventhub
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 deploy_windows_wad_vmss_agent

Title	Description
Name	deploy_windows_wad_vmss_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
diagnosticsStorageAccountName	The Storage Account Id to send diagnostic logs
diagnosticsStorageAccountId	The Storage Account Id to send diagnostic logs
eventHubSharedAccessKeyId	The Event Hub Shared Access Key Key Resource Id.
eventHubSharedAccessKeyName	The Event Hub Shared Access Key Name. Defaults to the Root Key	RootManageSharedAccessKey
eventHubUrl	The EventHub Url to stream diagnostic logs to. e.g. https://myeventhub-ns.servicebus.windows.net/diageventhub
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 preview_deploy_linux_azure_monitor_vm_agent

Title	Description
Name	preview_deploy_linux_azure_monitor_vm_agent
DisplayName
Description
Version
Effect	deployIfNotExists

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 preview_deploy_windows_azure_monitor_vm_agent

Title	Description
Name	preview_deploy_windows_azure_monitor_vm_agent
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists Disabled
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

General

📜 deny_resources_types

Title	Description
Name	deny_resources_types
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
listOfResourceTypesNotAllowed	The list of resource types that cannot be deployed.
effect	The effect determines what happens when the policy rule is evaluated to match	Audit	Audit Deny Disabled

📜 whitelist_regions

Title	Description
Name	whitelist_regions
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
listOfRegionsAllowed	The list of regions where resources can be deployed.	UK South UK West
effect	The effect determines what happens when the policy rule is evaluated to match	Audit	Audit Deny Disabled

📜 whitelist_resources

Title	Description
Name	whitelist_resources
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
listOfResourceTypesAllowed	The list of resource types that can be deployed.
effect	The effect determines what happens when the policy rule is evaluated to match	Audit	Audit Deny Disabled

Guest Configuration

📜 add_system_identity_when_user_prerequisite

Title	Description
Name	Add_System_Identity_When_User
DisplayName	Add system-assigned managed identity when User-Assigned is present to enable Guest Configuration assignments on VMs
Description	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.
Version	1.0.0
Effect	modify

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 CGC_nxLAMPServer

Title	Description
Name	CGC_nxLAMPServer
DisplayName	nxLAMPServer
Description	VM Custom Guest Configuration: nxLAMPServer
Version	1.0.0
Effect	deployIfNotExists

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
IncludeArcMachines	By selecting this option, you agree to be charged monthly per Arc connected machine.	False	True False

📜 CGC_SecurityBaselineConfigurationWS2016

Title	Description
Name	CGC_SecurityBaselineConfigurationWS2016
DisplayName	SecurityBaselineConfigurationWS2016
Description	VM Custom Guest Configuration: SecurityBaselineConfigurationWS2016
Version	1.0.0
Effect	deployIfNotExists

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
IncludeArcMachines	By selecting this option, you agree to be charged monthly per Arc connected machine.	False	True False

📜 CGC_WindowsIISServerConfig

Title	Description
Name	CGC_WindowsIISServerConfig
DisplayName	WindowsIISServerConfig
Description	VM Custom Guest Configuration: WindowsIISServerConfig
Version	1.0.0
Effect	deployIfNotExists

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
IncludeArcMachines	By selecting this option, you agree to be charged monthly per Arc connected machine.	False	True False

📜 deploy_extension_linux_prerequisite

Title	Description
Name	Deploy_the_Linux_Guest_Configuration_extension
DisplayName	Deploy the Linux Guest Configuration extension to enable Guest Configuration assignments on Linux VMs
Description	This policy deploys the Linux Guest Configuration extension to Linux virtual machines hosted in Azure that are supported by Guest Configuration. The Linux Guest Configuration extension is a prerequisite for all Linux Guest Configuration assignments and must be deployed to machines before using any Linux Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.
Version	1.0.1
Effect	deployIfNotExists

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 deploy_extension_windows_prerequisite

Title	Description
Name	Deploy_the_Windows_Guest_Configuration_extension
DisplayName	Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs
Description	This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must be deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit https://aka.ms/gcpol.
Version	1.0.1
Effect	deployIfNotExists

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

📜 add_system_identity_when_none_prerequisite

Title	Description
Name	Add_System_Identity_When_None
DisplayName	Add system-assigned managed identity when none present to enable Guest Configuration assignments on virtual machines
Description	This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit https://aka.ms/gcpol.
Version	1.0.0
Effect	modify

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
listOfImageIdToInclude_windows	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'
listOfImageIdToInclude_linux	Example value: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'

Monitoring

📜 deploy_public_ip_diagnostic_setting

Title	Description
Name	deploy_public_ip_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Public IPs to a Log Analytics workspace
Description	Deploys the diagnostic settings for Public IPs to stream to a regional Log Analytics workspace when any Public IP which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Enable Metrics - True or False	True	True False
logsEnabled	Enable Logs - True or False	True	True False

📜 deploy_storage_account_diagnostic_setting

Title	Description
Name	deploy_storage_account_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Azure Storage, including blobs, files, tables, and queues to a Log Analytics workspace
Description	Deploys the diagnostic settings for Azure Storage, including blobs, files, tables, and queues to stream to a regional Log Analytics workspace when any Azure Storage which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Enable Logs - True or False	True	True False

📜 deploy_subscription_diagnostic_setting

Title	Description
Name	deploy_subscription_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Subscriptions to a Log Analytics workspace
Description	Deploys the diagnostic settings for Subscriptions to stream to a regional Log Analytics workspace when any Subscription which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists AuditIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
logsEnabled	Enable Logs - True or False	True	True False

📜 deploy_virtual_machine_diagnostic_setting

Title	Description
Name	deploy_virtual_machine_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Virtual Machines to a Log Analytics workspace
Description	Deploys the diagnostic settings for Virtual Machines to stream to a regional Log Analytics workspace when any Virtual Machine which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Whether to enable logs stream to the Log Analytics workspace - True or False	True	True False

📜 deploy_vnet_diagnostic_setting

Title	Description
Name	deploy_vnet_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Virtual Networks to a Log Analytics workspace
Description	Deploys the diagnostic settings for Virtual Networks to stream to a regional Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Whether to enable logs stream to the Log Analytics workspace - True or False	True	True False

📜 deploy_vnet_gateway_diagnostic_setting

Title	Description
Name	deploy_vnet_gateway_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Virtual Network Gateways to a Log Analytics workspace
Description	Deploys the diagnostic settings for Virtual Network Gateways to stream to a regional Log Analytics workspace when any Virtual Network Gateway which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Whether to enable logs stream to the Log Analytics workspace - True or False	True	True False

📜 deploy_network_security_group_diagnostic_setting

Title	Description
Name	deploy_network_security_group_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Network Security Groups to a Log Analytics workspace
Description	Deploys the diagnostic settings for Network Security Groups to stream to a regional Log Analytics workspace when any Network Security Group which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
logsEnabled	Enable Logs - True or False	True	True False

📜 deploy_network_interface_diagnostic_setting

Title	Description
Name	deploy_network_interface_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Network Interfaces to a Log Analytics workspace
Description	Deploys the diagnostic settings for Network Interfaces to stream to a regional Log Analytics workspace when any Network Interface which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Enable Metrics - True or False	True	True False

📜 deploy_keyvault_diagnostic_setting

Title	Description
Name	deploy_keyvault_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for KeyVaults to a Log Analytics workspace
Description	Deploys the diagnostic settings for KeyVaults to stream to a regional Log Analytics workspace when any KeyVault which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Whether to enable logs stream to the Log Analytics workspace - True or False	True	True False

📜 deploy_loadbalancer_diagnostic_setting

Title	Description
Name	deploy_loadbalancer_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Load Balancers to a Log Analytics workspace
Description	Deploys the diagnostic settings for Load Balancers to stream to a regional Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Whether to enable logs stream to the Log Analytics workspace - True or False	True	True False

📜 audit_log_analytics_workspace_retention

Title	Description
Name	audit_log_analytics_workspace_retention
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	AuditIfNotExists	AuditIfNotExists Disabled
workspaceRetentionDays	Log Analytics Workspace should be retained for the specified amount of days. Defaults to 15 months	456

📜 audit_subscription_diagnostic_setting_should_exist

Title	Description
Name	audit_subscription_diagnostic_setting_should_exist
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	AuditIfNotExists	AuditIfNotExists Disabled

📜 deploy_application_gateway_diagnostic_setting

Title	Description
Name	deploy_application_gateway_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Application Gateways to a Log Analytics workspace
Description	Deploys the diagnostic settings for Application Gateways to stream to a regional Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Whether to enable logs stream to the Log Analytics workspace - True or False	True	True False

📜 deploy_eventhub_diagnostic_setting

Title	Description
Name	deploy_eventhub_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Event Hubs to a Log Analytics workspace
Description	Deploys the diagnostic settings for Event Hubs to stream to a regional Log Analytics workspace when any Event Hub which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Whether to enable logs stream to the Log Analytics workspace - True or False	True	True False

📜 deploy_expressroute_connection_diagnostic_setting

Title	Description
Name	deploy_expressroute_connection_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for ExpressRoute Connections to a Log Analytics workspace
Description	Deploys the diagnostic settings for ExpressRoute Connections to stream to a regional Log Analytics workspace when any ExpressRoute Connection which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Enable Metrics - True or False	True	True False
logsEnabled	Enable Logs - True or False	True	True False

📜 deploy_expressroute_diagnostic_setting

Title	Description
Name	deploy_expressroute_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for ExpressRoutes to a Log Analytics workspace
Description	Deploys the diagnostic settings for ExpressRoutes to stream to a regional Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Enable Metrics - True or False	True	True False
logsEnabled	Enable Logs - True or False	True	True False

📜 deploy_firewall_diagnostic_setting

Title	Description
Name	deploy_firewall_diagnostic_setting
DisplayName	Deploy Diagnostic Settings for Firewalls to a Log Analytics workspace
Description	Deploys the diagnostic settings for Firewalls to stream to a regional Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated.
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	AuditIfNotExists DeployIfNotExists Disabled
profileName	The diagnostic settings profile name	setbypolicy_Diagnostics
workspaceId	Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.
storageAccountId	The Storage Account Resource Id to send activity logs
eventHubAuthorizationRuleId	The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}
eventHubName	The EventHub name to stream activity logs to
metricsEnabled	Whether to enable metrics stream to the Log Analytics workspace - True or False	False	True False
logsEnabled	Whether to enable logs stream to the Log Analytics workspace - True or False	True	True False

Network

📜 create_nsg_rule_append

Title	Description
Name	create_nsg_rule_append
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
name
protocol			TCP UDP ICMP *
access			Allow Deny
priority
direction			Inbound Outbound
sourcePortRanges
destinationPortRanges
sourceAddressPrefixes
destinationAddressPrefixes
effect	The effect determines what happens when the policy rule is evaluated to match	Append	Append Disabled

📜 deny_nat_rules_firewalls

Title	Description
Name	deny_nat_rules_firewalls
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled

📜 deny_nic_on_unapproved_vnet

Title	Description
Name	deny_nic_on_unapproved_vnet
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled
virtualNetworkId	Resource Id of the virtual network. Example: /subscriptions/YourSubscriptionId/resourceGroups/YourResourceGroupName/providers/Microsoft.Network/virtualNetworks/Name

📜 deny_nic_public_ip_on_specific_subnets

Title	Description
Name	deny_nic_public_ip_on_specific_subnets
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
deniedSuffix	NICs attached to a subnet containing this suffix will be unable to attach a Public IP
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled

📜 deny_nic_public_ip

Title	Description
Name	deny_nic_public_ip
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled

📜 deny_nsg_outbound_allow_all

Title	Description
Name	deny_nsg_outbound_allow_all
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled

📜 deny_nsgs_with_rules_with_source_inbound_any

Title	Description
Name	deny_nsgs_with_rules_with_source_inbound_any
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled

📜 deny_pip_if_not_associated_authorised_resource

Title	Description
Name	deny_pip_if_not_associated_authorised_resource
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled

📜 deny_unapproved_udr

Title	Description
Name	deny_unapproved_udr
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
allowedHops	A list of the permitted 'next hops' for a UDR
effect	The effect determines what happens when the policy rule is evaluated to match	Audit	Audit Deny Disabled

📜 require_nsg_on_vnet

Title	Description
Name	require_nsg_on_vnet
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
allowedRanges	Provide the list of approved IP ranges for NSGs
effect	The effect determines what happens when the policy rule is evaluated to match	Audit	Audit Deny Disabled

📜 restrict_vnet_peering

Title	Description
Name	restrict_vnet_peering
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
trustedVnetIds	Trusted vNet IDs
effect	The effect determines what happens when the policy rule is evaluated to match	Audit	Audit Deny Disabled

📜 deny_unapproved_udr_hop_type

Title	Description
Name	deny_unapproved_udr_hop_type
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
allowedHopType1	A permitted hop type for a UDR
allowedHopType2	A permitted hop type for a UDR
allowedHopType3	A permitted hop type for a UDR
effect	The effect determines what happens when the policy rule is evaluated to match	Audit	Audit Deny Disabled

Security Center

📜 auto_enroll_subscriptions

Title	Description
Name	auto_enroll_subscriptions
DisplayName	Enroll Subscriptions to Azure Security Center
Description	Enroll Subscriptions to Azure Security Center Standard Pricing Tier, Note: the new Containers Plan will be replacing Container Registries and Kubernetes
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists AuditIfNotExists Disabled
pricingTier	ASC Pricing Tier	Standard	Free Standard

📜 auto_provision_log_analytics_agent_custom_workspace

Title	Description
Name	auto_provision_log_analytics_agent_custom_workspace
DisplayName	Auto Provision Subscriptions to Log Analytics Custom to Workspace
Description	Enable Security Center's auto provisioning of the Log Analytics agent on your subscriptions with custom workspace
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists AuditIfNotExists Disabled
workspaceId	Auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace.

📜 auto_set_contact_details

Title	Description
Name	auto_set_contact_details
DisplayName	Set Security Center contact email address and phone number on Subscriptions
Description	Automatically set the security contact email address and phone number should they be blank on the subscription
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists AuditIfNotExists Disabled
securityContactsEmail	The email of the Security Center Contact.
securityContactsPhone	The phone number of the Security Center Contact.

📜 enable_vulnerability_vm_assessments

Title	Description
Name	enable_vulnerability_vm_assessments
DisplayName	Enable Security Center VM Vulnerability Assessments
Description	Enable Security Center VM Vulnerability Assessments
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists AuditIfNotExists Disabled

📜 export_asc_alerts_and_recommendations_to_eventhub

Title	Description
Name	export_asc_alerts_and_recommendations_to_eventhub
DisplayName	Export ASC alerts and recommendations to eventhub
Description	Enable Export to Event Hub for Azure Security Center alerts and recommendations
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists AuditIfNotExists Disabled
resourceGroupName	The resource group name where the export to Event Hub configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Event Hub configured.	policy-export-asc-alerts
resourceGroupLocation	The location where the resource group and the export to Event Hub configuration are created.	uksouth	uksouth ukwest
exportedDataTypes	The data types to be exported. Example: Security recommendations;Security alerts;Secure scores;Secure score controls;	Security recommendations Security alerts Overall secure score Secure score controls	Security recommendations Security alerts Overall secure score Secure score controls
recommendationNames	Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer (https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade), choose securityresources and microsoft.security/assessments.
recommendationSeverities	Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;	High Medium Low	High Medium Low
isSecurityFindingsEnabled	Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation.	True	True False
secureScoreControlsNames	Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer (https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade), choose securityresources and microsoft.security/securescores/securescorecontrols.
alertSeverities	Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;	High Medium Low	High Medium Low
eventHubDetails	The Event Hub details of where the data should be exported to: Subscription, Event Hub Namespace, Event Hub, and Authorizations rules with 'Send' claim. If you do not already have an event hub, visit Event Hubs to create one (https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.EventHub%2Fnamespaces).

📜 export_asc_alerts_and_recommendations_to_log_analytics

Title	Description
Name	export_asc_alerts_and_recommendations_to_log_analytics
DisplayName	Export ASC alerts and recommendations to Log Analytics
Description	Enable Export to Log Analytics Workspace for Azure Security Center alerts and recommendations
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	Enable or disable the execution of the policy	DeployIfNotExists	DeployIfNotExists AuditIfNotExists Disabled
resourceGroupName	The resource group name where the export to Log Analytics configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics configured.	policy-export-asc-alerts
resourceGroupLocation	The location where the resource group and the export to Log Analytics configuration are created.	uksouth	uksouth ukwest
exportedDataTypes	The data types to be exported. Example: Security recommendations;Security alerts;Secure scores;Secure score controls;	Security recommendations Security alerts Overall secure score Secure score controls	Security recommendations Security alerts Overall secure score Secure score controls
recommendationNames	Applicable only for export of security recommendations. To export all recommendations, leave this empty. To export specific recommendations, enter a list of recommendation IDs separated by semicolons (';'). Recommendation IDs are available through the Assessments API (https://docs.microsoft.com/rest/api/securitycenter/assessments), or Azure Resource Graph Explorer (https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade), choose securityresources and microsoft.security/assessments.
recommendationSeverities	Applicable only for export of security recommendations. Determines recommendation severities. Example: High;Medium;Low;	High Medium Low	High Medium Low
isSecurityFindingsEnabled	Security findings are results from vulnerability assessment solutions, and can be thought of as 'sub' recommendations grouped into a 'parent' recommendation.	True	True False
secureScoreControlsNames	Applicable only for export of secure score controls. To export all secure score controls, leave this empty. To export specific secure score controls, enter a list of secure score controls IDs separated by semicolons (';'). Secure score controls IDs are available through the Secure score controls API (https://docs.microsoft.com/rest/api/securitycenter/securescorecontrols), or Azure Resource Graph Explorer (https://portal.azure.com/#blade/HubsExtension/ArgQueryBlade), choose securityresources and microsoft.security/securescores/securescorecontrols.
alertSeverities	Applicable only for export of security alerts. Determines alert severities. Example: High;Medium;Low;	High Medium Low	High Medium Low
workspaceId	Auto provision the Log Analytics agent on your subscriptions to monitor and collect security data using a custom workspace.

Storage

📜 storage_enforce_https

Title	Description
Name	storage_enforce_https
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled

📜 storage_enforce_minimum_tls1_2

Title	Description
Name	storage_enforce_minimum_tls1_2
DisplayName
Description
Version
Effect	[parameters('effect')]

🧮 ~ Parameters

Name	Description	Default Value	Allowed Values
effect	The effect determines what happens when the policy rule is evaluated to match	Deny	Audit Deny Disabled

Title	Description
Name	add_replace_resource_group_tag_key_modify
DisplayName
Description
Version
Effect	[parameters('effect')]

Title	Description
Name	inherit_resource_group_tags_append
DisplayName
Description
Version
Effect	[parameters('effect')]

Name	Description	Default Value	Allowed Values
tagName	Name of the tag, such as 'environment'
effect	The effect determines what happens when the policy rule is evaluated to match	Append	Append Disabled

Title	Description
Name	inherit_resource_group_tags_modify
DisplayName
Description
Version
Effect	[parameters('effect')]

Title	Description
Name	require_resource_group_tags
DisplayName
Description
Version
Effect	[parameters('effect')]

Files

policies

Directory actions

More options

Directory actions

More options

Latest commit

History

policies

Folders and files

parent directory

README.md

Custom Policy Definition Library

Categories

Definitions

Automation

📜 onboard_to_automation_dsc_linux

🧮 ~ Parameters

📜 onboard_to_automation_dsc_windows

🧮 ~ Parameters

Compute

📜 deploy_linux_lad_vm_agent

🧮 ~ Parameters

📜 deploy_linux_lad_vmss_agent

🧮 ~ Parameters

📜 deploy_linux_log_analytics_vm_agent

🧮 ~ Parameters

📜 deploy_linux_log_analytics_vmss_agent

🧮 ~ Parameters

📜 deploy_windows_log_analytics_vm_agent

🧮 ~ Parameters

📜 deploy_windows_log_analytics_vmss_agent

🧮 ~ Parameters

📜 deploy_windows_wad_vm_agent

🧮 ~ Parameters

📜 deploy_windows_wad_vmss_agent

🧮 ~ Parameters

📜 preview_deploy_linux_azure_monitor_vm_agent

🧮 ~ Parameters

📜 preview_deploy_windows_azure_monitor_vm_agent

🧮 ~ Parameters

General

📜 deny_resources_types

🧮 ~ Parameters

📜 whitelist_regions

🧮 ~ Parameters

📜 whitelist_resources

🧮 ~ Parameters

Guest Configuration

📜 add_system_identity_when_user_prerequisite

🧮 ~ Parameters

📜 CGC_nxLAMPServer

🧮 ~ Parameters

📜 CGC_SecurityBaselineConfigurationWS2016

🧮 ~ Parameters

📜 CGC_WindowsIISServerConfig

🧮 ~ Parameters

📜 deploy_extension_linux_prerequisite

🧮 ~ Parameters

📜 deploy_extension_windows_prerequisite

🧮 ~ Parameters

📜 add_system_identity_when_none_prerequisite

🧮 ~ Parameters

Monitoring

📜 deploy_public_ip_diagnostic_setting

🧮 ~ Parameters

📜 deploy_storage_account_diagnostic_setting

🧮 ~ Parameters

📜 deploy_subscription_diagnostic_setting

🧮 ~ Parameters

📜 deploy_virtual_machine_diagnostic_setting

🧮 ~ Parameters

📜 deploy_vnet_diagnostic_setting

🧮 ~ Parameters

📜 deploy_vnet_gateway_diagnostic_setting

🧮 ~ Parameters

📜 deploy_network_security_group_diagnostic_setting

🧮 ~ Parameters

📜 deploy_network_interface_diagnostic_setting

🧮 ~ Parameters