Skip to content

Commit 8a4b4ab

Browse files
Albertyang0Albertyang0
committed
Policy samples 2025-05-23-1
1 parent 61d2d13 commit 8a4b4ab

File tree

80 files changed

+104
-99
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

80 files changed

+104
-99
lines changed

articles/governance/policy/samples/built-in-initiatives.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
title: List of built-in policy initiatives
33
description: List built-in policy initiatives for Azure Policy. Categories include Regulatory Compliance, Azure Machine Configuration, and more.
4-
ms.date: 05/14/2025
4+
ms.date: 05/23/2025
55
ms.topic: generated-reference
66
ms.custom: generated
77
---

articles/governance/policy/samples/built-in-policies.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
title: List of built-in policy definitions
33
description: List built-in policy definitions for Azure Policy. Categories include Tags, Regulatory Compliance, Key Vault, Kubernetes, Azure Machine Configuration, and more.
4-
ms.date: 05/14/2025
4+
ms.date: 05/23/2025
55
ms.topic: generated-reference
66
ms.custom: generated
77
---

includes/policy/reference/bycat/policies-api-for-fhir.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
ms.service: azure-policy
33
ms.topic: include
4-
ms.date: 05/14/2025
4+
ms.date: 05/23/2025
55
ms.author: jasongroce
66
author: jasongroce
77
ms.custom: generated

includes/policy/reference/bycat/policies-api-management.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
ms.service: azure-policy
33
ms.topic: include
4-
ms.date: 05/14/2025
4+
ms.date: 05/23/2025
55
ms.author: jasongroce
66
author: jasongroce
77
ms.custom: generated
@@ -18,8 +18,8 @@ ms.custom: generated
1818
|[API Management service should use a SKU that supports virtual networks](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F73ef9241-5d81-4cd4-b483-8443d1730fe5) |With supported SKUs of API Management, deploying service into a virtual network unlocks advanced API Management networking and security features which provides you greater control over your network security configuration. Learn more at: [https://aka.ms/apimvnet](https://aka.ms/apimvnet). |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/AllowedVNETSkus_AuditDeny.json) |
1919
|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway, can be configured to be accessible either from the Internet or only within the virtual network. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/VNETEnabled_Audit.json) |
2020
|[API Management should disable public network access to the service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf73bd95-24da-4a4f-96b9-4e8b94b402bd) |To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PublicEndpoint_AINE.json) |
21-
|[API Management should have username and password authentication disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fffe25541-3853-4f4e-b71d-064422294b11) |To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Microsoft Entra ID or Microsoft Entra External ID identity providers and disable the default username and password authentication. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuth_Audit.json) |
21+
|[API Management should have username and password authentication disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fffe25541-3853-4f4e-b71d-064422294b11) |To better secure developer portal, username and password authentication in API Management should be disabled. Configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuth_Audit.json) |
2222
|[API Management subscriptions should not be scoped to all APIs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3aa03346-d8c5-4994-a5bc-7652c2a2aef1) |API Management subscriptions should be scoped to a product or an individual API instead of all APIs, which could result in an excessive data exposure. |Audit, Disabled, Deny |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/AllApiSubscription_AuditDeny.json) |
2323
|[Azure API Management platform version should be stv2](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1dc2fc00-2245-4143-99f4-874c937f13ef) |Azure API Management stv1 compute platform version will be retired effective 31 August 2024, and these instances should be migrated to stv2 compute platform for continued support. Learn more at [https://learn.microsoft.com/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024](/azure/api-management/breaking-changes/stv1-platform-retirement-august-2024) |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PlatformVersion_AuditDeny.json) |
2424
|[Configure API Management services to disable access to API Management public service configuration endpoints](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2) |To improve the security of API Management services, restrict connectivity to service configuration endpoints, like direct access management API, Git configuration management endpoint, or self-hosted gateways configuration endpoint. |DeployIfNotExists, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/PublicEndpoint_DINE.json) |
25-
|[Modify API Management to disable username and password authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b0d74ac-4b43-4c39-a15f-594385adc38d) |To better secure developer portal user accounts and their credentials, configure user authentication through Microsoft Entra ID or Microsoft Entra External ID identity providers and disable the default username and password authentication. |Modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuthDisabled_Modify.json) |
25+
|[Modify API Management to disable username and password authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b0d74ac-4b43-4c39-a15f-594385adc38d) |To better secure developer portal user accounts and their credentials, configure user authentication through Azure AD or Azure AD B2C identity providers and disable the default username and password authentication. |Modify |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/BasicAuthDisabled_Modify.json) |

includes/policy/reference/bycat/policies-app-configuration.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
ms.service: azure-policy
33
ms.topic: include
4-
ms.date: 05/14/2025
4+
ms.date: 05/23/2025
55
ms.author: jasongroce
66
author: jasongroce
77
ms.custom: generated

includes/policy/reference/bycat/policies-app-platform.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
---
22
ms.service: azure-policy
33
ms.topic: include
4-
ms.date: 05/14/2025
4+
ms.date: 05/23/2025
55
ms.author: jasongroce
66
author: jasongroce
77
ms.custom: generated

0 commit comments

Comments
 (0)