@@ -21,8 +21,316 @@ the link in the **Version** column to view the source on the
2121
2222[ !INCLUDE [ azure-policy-reference-rp-appservice] ( ../../includes/policy/reference/byrp/microsoft.web.md )]
2323
24+ ## Release notes
25+
26+ ### October 2024
27+
28+ - TLS 1.3 is now supported in App Service apps and slots. The following policies have been updated to enforce setting the minimum TLS version to 1.3:
29+ - "App Service apps should use the latest TLS version"
30+ - "App Service app slots should use the latest TLS version"
31+ - "Configure App Service apps to use the latest TLS version"
32+ - "Configure App Service app slots to use the latest TLS version"
33+ - "Function apps should use the latest TLS version"
34+ - "Configure Function apps to use the latest TLS version"
35+ - "Function app slots should use the latest TLS version"
36+ - "Configure Function app slots to use the latest TLS version"
37+
38+ ### April 2023
39+
40+ - ** App Service apps that use Java should use the latest 'Java version'**
41+ - Rename of policy to "App Service apps that use Java should use a specified 'Java version'"
42+ - Update policy so that it requires a version specification before assignment
43+ - ** App Service apps that use Python should use the latest 'Python version'**
44+ - Rename of policy to "App Service apps that use Python should use a specified 'Python version'"
45+ - Update policy so that it requires a version specification before assignment
46+ - ** Function apps that use Java should use the latest 'Java version'**
47+ - Rename of policy to "Function apps that use Java should use a specified 'Java version'"
48+ - Update policy so that it requires a version specification before assignment
49+ - ** Function apps that use Python should use the latest 'Python version'**
50+ - Rename of policy to "Function apps that use Python should use a specified 'Python version'"
51+ - Update policy so that it requires a version specification before assignment
52+ - ** App Service apps that use PHP should use the latest 'PHP version'**
53+ - Rename of policy to "App Service apps that use PHP should use a specified 'PHP version'"
54+ - Update policy so that it requires a version specification before assignment
55+ - ** App Service app slots that use Python should use a specified 'Python version'**
56+ - New policy created
57+ - ** Function app slots that use Python should use a specified 'Python version'**
58+ - New policy created
59+ - ** App Service app slots that use PHP should use a specified 'PHP version'**
60+ - New policy created
61+ - ** App Service app slots that use Java should use a specified 'Java version'**
62+ - New policy created
63+ - ** Function app slots that use Java should use a specified 'Java version'**
64+ - New policy created
65+
66+ ### November 2022
67+
68+ - Deprecation of policy ** App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
69+ - Replaced by a policy with the same display name based on the site property to support * Deny* effect
70+ - Deprecation of policy ** App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
71+ - Replaced by a policy with the same display name based on the site property to support * Deny* effect
72+ - ** App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
73+ - New policy created
74+ - ** App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
75+ - New policy created
76+ - ** App Service apps should enable configuration routing to Azure Virtual Network**
77+ - New policy created
78+ - ** App Service app slots should enable configuration routing to Azure Virtual Network**
79+ - New policy created
80+
81+ ### October 2022
82+
83+ - ** Function app slots should have remote debugging turned off**
84+ - New policy created
85+ - ** App Service app slots should have remote debugging turned off**
86+ - New policy created
87+ - ** Function app slots should use latest 'HTTP Version'**
88+ - New policy created
89+ - ** Function app slots should use the latest TLS version**
90+ - New policy created
91+ - ** App Service app slots should use the latest TLS version**
92+ - New policy created
93+ - ** App Service app slots should have resource logs enabled**
94+ - New policy created
95+ - ** App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network**
96+ - New policy created
97+ - ** App Service app slots should use managed identity**
98+ - New policy created
99+ - ** App Service app slots should use latest 'HTTP Version'**
100+ - New policy created
101+ - Deprecation of policy ** Configure App Services to disable public network access**
102+ - Replaced by "Configure App Service apps to disable public network access"
103+ - Deprecation of policy ** App Services should disable public network access**
104+ - Replaced by "App Service apps should disable public network access" to support * Deny* effect
105+ - ** App Service apps should disable public network access**
106+ - New policy created
107+ - ** App Service app slots should disable public network access**
108+ - New policy created
109+ - ** Configure App Service apps to disable public network access**
110+ - New policy created
111+ - ** Configure App Service app slots to disable public network access**
112+ - New policy created
113+ - ** Function apps should disable public network access**
114+ - New policy created
115+ - ** Function app slots should disable public network access**
116+ - New policy created
117+ - ** Configure Function apps to disable public network access**
118+ - New policy created
119+ - ** Configure Function app slots to disable public network access**
120+ - New policy created
121+ - ** Configure App Service app slots to turn off remote debugging**
122+ - New policy created
123+ - ** Configure Function app slots to turn off remote debugging**
124+ - New policy created
125+ - ** Configure App Service app slots to use the latest TLS version**
126+ - New policy created
127+ - ** Configure Function app slots to use the latest TLS version**
128+ - New policy created
129+ - ** App Service apps should use latest 'HTTP Version'**
130+ - Update scope to include Windows apps
131+ - ** Function apps should use latest 'HTTP Version'**
132+ - Update scope to include Windows apps
133+ - ** App Service Environment apps should not be reachable over public internet**
134+ - Modify policy definition to remove check on API version
135+
136+ ### September 2022
137+
138+ - ** App Service apps should be injected into a virtual network**
139+ - Update scope of policy to remove slots
140+ - Creation of "App Service app slots should be injected into a virtual network" to monitor slots
141+ - ** App Service app slots should be injected into a virtual network**
142+ - New policy created
143+ - ** Function apps should have 'Client Certificates (Incoming client certificates)' enabled**
144+ - Update scope of policy to remove slots
145+ - Creation of "Function app slots should have 'Client Certificates (Incoming client certificates)' enabled" to monitor slots
146+ - ** Function app slots should have 'Client Certificates (Incoming client certificates)' enabled**
147+ - New policy created
148+ - ** Function apps should use an Azure file share for its content directory**
149+ - Update scope of policy to remove slots
150+ - Creation of "Function app slots should use an Azure file share for its content directory" to monitor slots
151+ - ** Function app slots should use an Azure file share for its content directory**
152+ - New policy created
153+ - ** App Service apps should have 'Client Certificates (Incoming client certificates)' enabled**
154+ - Update scope of policy to remove slots
155+ - Creation of "App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled" to monitor slots
156+ - ** App Service app slots should have 'Client Certificates (Incoming client certificates)' enabled**
157+ - New policy created
158+ - ** App Service apps should use an Azure file share for its content directory**
159+ - Update scope of policy to remove slots
160+ - Creation of "App Service app slots should use an Azure file share for its content directory" to monitor slots
161+ - ** App Service app slots should use an Azure file share for its content directory**
162+ - New policy created
163+ - ** Function app slots should require FTPS only**
164+ - New policy created
165+ - ** App Service app slots should require FTPS only**
166+ - New policy created
167+ - ** Function app slots should not have CORS configured to allow every resource to access your apps**
168+ - New policy created
169+ - ** App Service app slots should not have CORS configured to allow every resource to access your app**
170+ - New policy created
171+ - ** Function apps should only be accessible over HTTPS**
172+ - Update scope of policy to remove slots
173+ - Creation of "Function app slots should only be accessible over HTTPS" to monitor slots
174+ - Add "Deny" effect
175+ - Creation of "Configure Function apps to only be accessible over HTTPS" for enforcement of policy
176+ - ** Function app slots should only be accessible over HTTPS**
177+ - New policy created
178+ - ** Configure Function apps to only be accessible over HTTPS**
179+ - New policy created
180+ - ** Configure Function app slots to only be accessible over HTTPS**
181+ - New policy created
182+ - ** App Service apps should use a SKU that supports private link**
183+ - Update list of supported SKUs of policy to include the Workflow Standard tier for Logic Apps
184+ - ** Configure App Service apps to use the latest TLS version**
185+ - New policy created
186+ - ** Configure Function apps to use the latest TLS version**
187+ - New policy created
188+ - ** Configure App Service apps to turn off remote debugging**
189+ - New policy created
190+ - ** Configure Function apps to turn off remote debugging**
191+ - New policy created
192+
193+ ### August 2022
194+
195+ - ** App Service apps should only be accessible over HTTPS**
196+ - Update scope of policy to remove slots
197+ - Creation of "App Service app slots should only be accessible over HTTPS" to monitor slots
198+ - Add "Deny" effect
199+ - Creation of "Configure App Service apps to only be accessible over HTTPS" for enforcement of policy
200+ - ** App Service app slots should only be accessible over HTTPS**
201+ - New policy created
202+ - ** Configure App Service apps to only be accessible over HTTPS**
203+ - New policy created
204+ - ** Configure App Service app slots to only be accessible over HTTPS**
205+ - New policy created
206+
207+ ### July 2022
208+
209+ - Deprecation of the following policies:
210+ - ** Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'**
211+ - ** Ensure that 'Python version' is the latest, if used as a part of the API app**
212+ - ** CORS should not allow every resource to access your API App**
213+ - ** Managed identity should be used in your API App**
214+ - ** Remote debugging should be turned off for API Apps**
215+ - ** Ensure that 'PHP version' is the latest, if used as a part of the API app**
216+ - ** API apps should use an Azure file share for its content directory**
217+ - ** FTPS only should be required in your API App**
218+ - ** Ensure that 'Java version' is the latest, if used as a part of the API app**
219+ - ** Ensure that 'HTTP Version' is the latest, if used to run the API app**
220+ - ** Latest TLS version should be used in your API App**
221+ - ** Authentication should be enabled on your API app**
222+ - ** Function apps should have 'Client Certificates (Incoming client certificates)' enabled**
223+ - Update scope of policy to include slots
224+ - Update scope of policy to exclude Logic apps
225+ - ** Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'**
226+ - Rename of policy to "App Service apps should have 'Client Certificates (Incoming client certificates)' enabled"
227+ - Update scope of policy to include slots
228+ - Update scope of policy to include all app types except Function apps
229+ - ** Ensure that 'Python version' is the latest, if used as a part of the Web app**
230+ - Rename of policy to "App Service apps that use Python should use the latest 'Python version'"
231+ - Update scope of policy to include all app types except Function apps
232+ - ** Ensure that 'Python version' is the latest, if used as a part of the Function app**
233+ - Rename of policy to "Function apps that use Python should use the latest 'Python version'"
234+ - Update scope of policy to exclude Logic apps
235+ - ** CORS should not allow every resource to access your Web Applications**
236+ - Rename of policy to "App Service apps should not have CORS configured to allow every resource to access your apps"
237+ - Update scope of policy to include all app types except Function apps
238+ - ** CORS should not allow every resource to access your Function Apps**
239+ - Rename of policy to "Function apps should not have CORS configured to allow every resource to access your apps"
240+ - Update scope of policy to exclude Logic apps
241+ - ** Managed identity should be used in your Function App**
242+ - Rename of policy to "Function apps should use managed identity"
243+ - Update scope of policy to exclude Logic apps
244+ - ** Managed identity should be used in your Web App**
245+ - Rename of policy to "App Service apps should use managed identity"
246+ - Update scope of policy to include all app types except Function apps
247+ - ** Remote debugging should be turned off for Function Apps**
248+ - Rename of policy to "Function apps should have remote debugging turned off"
249+ - Update scope of policy to exclude Logic apps
250+ - ** Remote debugging should be turned off for Web Applications**
251+ - Rename of policy to "App Service apps should have remote debugging turned off"
252+ - Update scope of policy to include all app types except Function apps
253+ - ** Ensure that 'PHP version' is the latest, if used as a part of the WEB app**
254+ - Rename of policy to "App Service apps that use PHP should use the latest 'PHP version'"
255+ - Update scope of policy to include all app types except Function apps
256+ - ** App Service slots should have local authentication methods disabled for SCM site deployment**
257+ - Rename of policy to "App Service app slots should have local authentication methods disabled for SCM site deployments"
258+ - ** App Service should have local authentication methods disabled for SCM site deployments**
259+ - Rename of policy to "App Service apps should have local authentication methods disabled for SCM site deployments"
260+ - ** App Service slots should have local authentication methods disabled for FTP deployments**
261+ - Rename of policy to "App Service app slots should have local authentication methods disabled for FTP deployments"
262+ - ** App Service should have local authentication methods disabled for FTP deployments**
263+ - Rename of policy to "App Service apps should have local authentication methods disabled for FTP deployments"
264+ - ** Function apps should use an Azure file share for its content directory**
265+ - Update scope of policy to include slots
266+ - Update scope of policy to exclude Logic apps
267+ - ** Web apps should use an Azure file share for its content directory**
268+ - Rename of policy to "App Service apps should use an Azure file share for its content directory"
269+ - Update scope of policy to include slots
270+ - Update scope of policy to include all app types except Function apps
271+ - ** FTPS only should be required in your Function App**
272+ - Rename of policy to "Function apps should require FTPS only"
273+ - Update scope of policy to exclude Logic apps
274+ - ** FTPS should be required in your Web App**
275+ - Rename of policy to "App Service apps should require FTPS only"
276+ - Update scope of policy to include all app types except Function apps
277+ - ** Ensure that 'Java version' is the latest, if used as a part of the Function app**
278+ - Rename of policy to "Function apps that use Java should use the latest 'Java version'"
279+ - Update scope of policy to exclude Logic apps
280+ - ** Ensure that 'Java version' is the latest, if used as a part of the Web app**
281+ - Rename of policy to "App Service apps that use Java should use the latest 'Java version"
282+ - Update scope of policy to include all app types except Function apps
283+ - ** App Service should use private link**
284+ - Rename of policy to "App Service apps should use private link"
285+ - ** Configure App Services to use private DNS zones**
286+ - Rename of policy to "Configure App Service apps to use private DNS zones"
287+ - ** App Service Apps should be injected into a virtual network**
288+ - Rename of policy to "App Service apps should be injected into a virtual network"
289+ - Update scope of policy to include slots
290+ - ** Ensure that 'HTTP Version' is the latest, if used to run the Web app**
291+ - Rename of policy to "App Service apps should use latest 'HTTP Version'"
292+ - Update scope of policy to include all app types except Function apps
293+ - ** Ensure that 'HTTP Version' is the latest, if used to run the Function app**
294+ - Rename of policy to "Function apps should use latest 'HTTP Version'"
295+ - Update scope of policy to exclude Logic apps
296+ - ** Latest TLS version should be used in your Web App**
297+ - Rename of policy to "App Service apps should use the latest TLS version"
298+ - Update scope of policy to include all app types except Function apps
299+ - ** Latest TLS version should be used in your Function App**
300+ - Rename of policy to "Function apps should use the latest TLS version"
301+ - Update scope of policy to exclude Logic apps
302+ - ** App Service Environment should disable TLS 1.0 and 1.1**
303+ - Rename of policy to "App Service Environment should have TLS 1.0 and 1.1 disabled"
304+ - ** Resource logs in App Services should be enabled**
305+ - Rename of policy to "App Service apps should have resource logs enabled"
306+ - ** Authentication should be enabled on your web app**
307+ - Rename of policy to "App Service apps should have authentication enabled"
308+ - ** Authentication should be enabled on your Function app**
309+ - Rename of policy to "Function apps should have authentication enabled"
310+ - Update scope of policy to exclude Logic apps
311+ - ** App Service Environment should enable internal encryption**
312+ - Rename of policy to "App Service Environment should have internal encryption enabled"
313+ - ** Function apps should only be accessible over HTTPS**
314+ - Update scope of policy to exclude Logic apps
315+ - ** App Service should use a virtual network service endpoint**
316+ - Rename of policy to "App Service apps should use a virtual network service endpoint"
317+ - Update scope of policy to include all app types except Function apps
318+
319+ ### June 2022
320+
321+ - Deprecation of policy ** API App should only be accessible over HTTPS**
322+ - ** Web Application should only be accessible over HTTPS**
323+ - Rename of policy to "App Service apps should only be accessible over HTTPS"
324+ - Update scope of policy to include all app types except Function apps
325+ - Update scope of policy to include slots
326+ - ** Function apps should only be accessible over HTTPS**
327+ - Update scope of policy to include slots
328+ - ** App Service apps should use a SKU that supports private link**
329+ - Update logic of policy to include checks on App Service plan tier or name so that the policy supports Terraform deployments
330+ - Update list of supported SKUs of policy to include the Basic and Standard tiers
331+
24332## Next steps
25333
26334- See the built-ins on the [ Azure Policy GitHub repo] ( https://github.com/Azure/azure-policy ) .
27335- Review the [ Azure Policy definition structure] ( ../governance/policy/concepts/definition-structure.md ) .
28- - Review [ Understanding policy effects] ( ../governance/policy/concepts/effects.md ) .
336+ - Review [ Understanding policy effects] ( ../governance/policy/concepts/effects.md ) .
0 commit comments