You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: includes/policy/reference/bycat/policies-api-management.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,8 +18,8 @@ ms.custom: generated
18
18
|[API Management service should use a SKU that supports virtual networks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73ef9241-5d81-4cd4-b483-8443d1730fe5)|With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: [https://aka.ms/apimvnet](https://aka.ms/apimvnet). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/AllowedVNETSkus_AuditDeny.json)|
19
19
|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b)|Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json)|
20
20
|[API Management should disable public network access to the service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf73bd95-24da-4a4f-96b9-4e8b94b402bd)|To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PublicEndpoint_AINE.json)|
21
-
|[API Management should have username and password authentication disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fffe25541-3853-4f4e-b71d-064422294b11)|To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuth_Audit.json)|
21
+
|[API Management should have username and password authentication disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fffe25541-3853-4f4e-b71d-064422294b11)|To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Microsoft Entra ID or Microsoft Entra External ID identity providers and disable the default username and password authentication. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuth_Audit.json)|
22
22
|[API Management subscriptions should not be scoped to all APIs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3aa03346-d8c5-4994-a5bc-7652c2a2aef1)|API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/AllApiSubscription_AuditDeny.json)|
23
23
|[Azure API Management platform version should be stv2](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1dc2fc00-2245-4143-99f4-874c937f13ef)|Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at [https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024](/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024)|Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PlatformVersion_AuditDeny.json)|
24
24
|[Configure API Management services to disable access to API Management public service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2)|To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |DeployIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PublicEndpoint_DINE.json)|
25
-
|[Modify API Management to disable username and password authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b0d74ac-4b43-4c39-a15f-594385adc38d)|To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. |Modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuthDisabled_Modify.json)|
25
+
|[Modify API Management to disable username and password authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b0d74ac-4b43-4c39-a15f-594385adc38d)|To better secure developer portal user accounts and their credentials, configure user authentication through Microsoft Entra ID or Microsoft Entra External ID identity providers and disable the default username and password authentication. |Modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuthDisabled_Modify.json)|
Copy file name to clipboardExpand all lines: includes/policy/reference/byrp/microsoft.apimanagement.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,11 +21,11 @@ ms.custom: generated
21
21
|[API Management service should use a SKU that supports virtual networks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73ef9241-5d81-4cd4-b483-8443d1730fe5)|With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: [https://aka.ms/apimvnet](https://aka.ms/apimvnet). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/AllowedVNETSkus_AuditDeny.json)|
22
22
|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b)|Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json)|
23
23
|[API Management should disable public network access to the service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf73bd95-24da-4a4f-96b9-4e8b94b402bd)|To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PublicEndpoint_AINE.json)|
24
-
|[API Management should have username and password authentication disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fffe25541-3853-4f4e-b71d-064422294b11)|To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuth_Audit.json)|
24
+
|[API Management should have username and password authentication disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fffe25541-3853-4f4e-b71d-064422294b11)|To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Microsoft Entra ID or Microsoft Entra External ID identity providers and disable the default username and password authentication. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuth_Audit.json)|
25
25
|[API Management subscriptions should not be scoped to all APIs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3aa03346-d8c5-4994-a5bc-7652c2a2aef1)|API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/AllApiSubscription_AuditDeny.json)|
26
26
|[Azure API Management platform version should be stv2](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1dc2fc00-2245-4143-99f4-874c937f13ef)|Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at [https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024](/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024)|Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PlatformVersion_AuditDeny.json)|
27
27
|[Configure API Management services to disable access to API Management public service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2)|To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |DeployIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PublicEndpoint_DINE.json)|
28
28
|[Enable logging by category group for API Management services (microsoft.apimanagement/service) to Event Hub](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3a8ff864-d881-44ce-bed3-0c63ede634cb)|Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for API Management services (microsoft.apimanagement/service). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.2.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DS_EH_apimanagement-service_DINE.json)|
29
29
|[Enable logging by category group for API Management services (microsoft.apimanagement/service) to Log Analytics](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F567c93f7-3661-494f-a30f-0a94d9bfebf8)|Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for API Management services (microsoft.apimanagement/service). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DS_LA_apimanagement-service_DINE.json)|
30
30
|[Enable logging by category group for API Management services (microsoft.apimanagement/service) to Storage](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6f3f5778-f809-4755-9d8f-bd5a5a7add85)|Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for API Management services (microsoft.apimanagement/service). |DeployIfNotExists, AuditIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DS_ST_apimanagement-service_DINE.json)|
31
-
|[Modify API Management to disable username and password authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b0d74ac-4b43-4c39-a15f-594385adc38d)|To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. |Modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuthDisabled_Modify.json)|
31
+
|[Modify API Management to disable username and password authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b0d74ac-4b43-4c39-a15f-594385adc38d)|To better secure developer portal user accounts and their credentials, configure user authentication through Microsoft Entra ID or Microsoft Entra External ID identity providers and disable the default username and password authentication. |Modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuthDisabled_Modify.json)|
0 commit comments