Azure Policy for Virtual Machine Customer-Managed Boot Diagnostic Storage Accounts

I wrote an Azure Policy definition today to audit or deny VMs that are not using customer-managed storage accounts for Boot Diagnostics. The default policy effect is Deny but can be changed to Audit when assigning the policy because it’s parameterized.

This policy will block or generate audit log if the Virtual Machine has either disabled boot diagnostic or configured to use Microsoft-Managed storage account.

The policy definition can be found in my AzurePolicy GitHub repo HERE.