November 2020 Update for Azure Diagnostic Settings Policy Definitions

Last month, I released some updates to the Azure Policy definitions for Diagnostics Settings. After that update, there was a requirement for me to revisit and revalidate all existing policy definitions, so I have spent few days and have gone through them all, making sure they are still up-to-date. I have also added few definitions for few additional Azure services. Here’s a the change log: Updated the existing policy definitions for the following Azure services: Azure Container Registry Azure Kubernetes Service Azure API Management Azure Cognitive Services Cosmos DB Azure Data Factory Event Grid Topic ExpressRoute Circuits Azure Firewall Azure

Continue reading

October 2020 Update for Azure Diagnostic Settings Policy Definitions

Over the last couple years, I’ve been maintaining a set of custom Azure Policy Definitions for deploying Diagnostic Settings for applicable Azure services. You can find them in my GitHub repo: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/resource-diagnostics-settings I’ve updated them again over the last couple of weeks. This is what’s changed: Diagnostic Settings Policies: Minor bug fix for the Diagnostic Settings policies for Azure Automation Account Updated policies for Event Hub – included additional log categories that weren’t available when the policy was firstly written. Also updated policies for Recovery Services Vault – added additional log categories Updated policies for SQL Managed Instance – added

Continue reading

Managing Azure Resource Tags using Azure Policy Modify Effect

The new Modify effect for Azure Policy was introduced few months ago. I was really excited about this new addition, but unfortunately I haven’t had time to write this post until today. The Modify effect is designed SPECIFICALLY for managing resource tags. You can use it to add / update / remove tags during resource creation or update (basically for both new and existing resources). Problem we had… Before the Modify effect was introduced, we were managing the tags using the “Deny” and “Append” effects: Deny: “Require tag and its value” policy “Require tag and its value on resource groups”

Continue reading

Updated Azure Policy Definitions for Azure Diagnostics Settings Again

I firstly published a set of policy definitions for configuring Azure resource diagnostics settings last year. You can find the original post here: https://blog.tyang.org/2018/11/19/configuring-azure-resources-diagnostic-log-settings-using-azure-policy/. I have been keeping them up-to-date since then. I’ve updated the Policy Definitions for the resource Diagnostic Settings again today with the following updates: New Policies added: Azure Bastion Hosts Azure AD Domain Services Existing Policy Updated: Azure App Service – with the support for the additional logs announced at Ignite 2019. Also the name of the policy file has changed. Removed (since they were incorrectly written in the first place and never worked): VM VMSS

Continue reading

Cross-Blog: How to Create Azure Monitor Alerts for Non-Compliant Azure Policies

Recently, I have been asked to contribute to Microsoft’s ITOps Talk blog. My first article “How to Create Azure Monitor Alerts for Non-Compliant Azure Policies” have just been published. You can read it here: https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/How-to-Create-Azure-Monitor-Alerts-for-Non-Compliant-Azure/ba-p/713466

Continue reading

Updated Azure Policy for Azure Diagnostic Settings

Few months ago, I published a set of Azure Policy definitions to configure Azure resources diagnostic settings. You can find the original post here: https://blog.tyang.org/2018/11/19/configuring-azure-resources-diagnostic-log-settings-using-azure-policy/. The definitions were offered in the form of an ARM template. Since then, I have updated these policies, with the following updates: Additional policies for connecting Diagnostic Settings to Azure Event Hub In addition to policies to connect diagnostic settings to Log Analytics, I have added another set of policies to connect diagnostic settings of applicable resources to Azure Event Hubs Added ExistenceCondition in policy definitions ExistenceCondition detects if the resource you are trying to

Continue reading

New Azure Policy Definition: Deploy Microsoft IaaSAntimalware extension with custom configurations

Microsoft provides a built-in Azure Policy definition for deploying Windows Defender VM Extension. The name of this policy definition is Deploy default Microsoft IaaSAntimalware extension for Windows Server (id: /providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc) This policy definition has many limitations: It does not support Windows 10 VMs It does not support custom VM images It does not support customization of the Windows Defender configurations (i.e. scan exclusions, etc.) I had a requirement to automatically deploy this VM extension with customised configuration. So I have re-written this policy, addressed all the limitations listed above. You can find it at my Azure Policy GitHub repo: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/deploy-windows-defender-vm-extension-custom-config.

Continue reading

New Azure Policy Definition: Deploy VM Shutdown Schedule

I wrote an Azure Policy definition few days ago, it deploys VM shutdown schedule together with VMs using deployIfNotExists effect. You can find it at my Azure Policy GitHub repo: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/deploy-vm-shutdown-schedule. This policy will be very useful when managing non-production workload. Input parameters: Deployed schedule:

Continue reading

Deploying Azure Policy Definitions via Azure DevOps (Part 3)

This is the 3rd and final installment of the 3-part blog series. You can find the other parts here: Part 1: Custom deployment scripts for policy and initiative definitions Part 2: Pester-test policy and initiative definitions in the build pipeline Part 3: Configuring build (CI) and release (CD) pipelines in Azure DevOps In this part, I will walk through how I configured the build and release pipelines for deploying policy and initiative definitions at scale. Pre-requisites The following pre-requisistes are required before start creating the pipelines: 1. Creating Azure AD Service Principals We need to create service principals in each

Continue reading

Deploying Azure Policy Definitions via Azure DevOps (Part 2)

This is the 2nd installment of the 3-part blog series. You can find the other parts here: Part 1: Custom deployment scripts for policy and initiative definitions Part 2: Pester-test policy and initiative definitions in the build pipeline Part 3: Configuring build (CI) and release (CD) pipelines in Azure DevOps In this part, I will walk through the PowerShell module I have developed to pester-test policy and initiative definitions. My intention is to uses these tests to perform syntax validation in the build pipeline, ensure all the definition files are valid before being deployed in the release pipelines. You can

Continue reading
%d bloggers like this: