new search policy to enable while switching from api keys to rbac auth (#521)

ruhanw087 · Ruhan Waghmare · web-flow · commit 192d80346e6d · 2025-11-26T17:07:13.000+01:00
Co-authored-by: Ruhan Waghmare &lt;rug@macbook-pro.lan&gt;
diff --git a/policyDefinitions/Search/return-forbidden-for-auth-failure/azurepolicy.json b/policyDefinitions/Search/return-forbidden-for-auth-failure/azurepolicy.json
@@ -0,0 +1,48 @@
+{
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "name": "e62541ee-b22d-4942-afa0-e15ecb4472da",
+    "properties": {
+      "displayName": "Auth failure should return 403 when in transition from api keys to RBAC authentication",
+      "mode": "All",
+      "description": "Set auth failure mode to https403 for search services in the transition state between using api keys for authentication to RBAC",
+      "metadata": {
+        "category": "Search",
+        "version": "1.0.0"
+      },
+      "parameters": {
+        "effect": {
+          "type": "String",
+          "metadata": {
+            "displayName": "Effect",
+            "description": "Enable or disable the execution of the policy"
+          },
+          "allowedValues": [
+            "Audit",
+            "Disabled"
+          ],
+          "defaultValue": "Audit"
+        }
+      },
+      "policyRule": {
+        "if": {
+          "allOf": [
+            {
+              "field": "type",
+              "equals": "Microsoft.Search/searchServices"
+            },
+            {
+              "field": "Microsoft.Search/searchServices/disableLocalAuth",
+              "notEquals": "true"
+            },
+            {
+              "field": "Microsoft.Search/searchServices/authOptions.aadOrApiKey.aadAuthFailureMode",
+              "notEquals": "http403"
+            }
+          ]
+        },
+        "then": {
+          "effect": "[parameters('effect')]"
+        }
+      }
+    }
+  }
diff --git a/policyDefinitions/Search/return-forbidden-for-auth-failure/azurepolicy.parameters.json b/policyDefinitions/Search/return-forbidden-for-auth-failure/azurepolicy.parameters.json
@@ -0,0 +1,14 @@
+{
+    "effect": {
+      "type": "String",
+      "metadata": {
+        "displayName": "Effect",
+        "description": "Enable or disable the execution of the policy"
+      },
+      "allowedValues": [
+        "Audit",
+        "Disabled"
+      ],
+      "defaultValue": "Audit"
+    }
+}
diff --git a/policyDefinitions/Search/return-forbidden-for-auth-failure/azurepolicy.rules.json b/policyDefinitions/Search/return-forbidden-for-auth-failure/azurepolicy.rules.json
@@ -0,0 +1,21 @@
+{
+    "if": {
+      "allOf": [
+        {
+          "field": "type",
+          "equals": "Microsoft.Search/searchServices"
+        },
+        {
+          "field": "Microsoft.Search/searchServices/disableLocalAuth",
+          "notEquals": "true"
+        },
+        {
+          "field": "Microsoft.Search/searchServices/authOptions.aadOrApiKey.aadAuthFailureMode",
+          "notEquals": "http403"
+        }
+      ]
+    },
+    "then": {
+      "effect": "[parameters('effect')]"
+    }
+}
