Cross-Blog: How to Create Azure Monitor Alerts for Non-Compliant Azure Policies

Recently, I have been asked to contribute to Microsoft’s ITOps Talk blog. My first article “How to Create Azure Monitor Alerts for Non-Compliant Azure Policies” have just been published. You can read it here: https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/How-to-Create-Azure-Monitor-Alerts-for-Non-Compliant-Azure/ba-p/713466

Continue reading

Updated Azure Policy for Azure Diagnostic Settings

Few months ago, I published a set of Azure Policy definitions to configure Azure resources diagnostic settings. You can find the original post here: https://blog.tyang.org/2018/11/19/configuring-azure-resources-diagnostic-log-settings-using-azure-policy/. The definitions were offered in the form of an ARM template. Since then, I have updated these policies, with the following updates: Additional policies for connecting Diagnostic Settings to Azure Event Hub In addition to policies to connect diagnostic settings to Log Analytics, I have added another set of policies to connect diagnostic settings of applicable resources to Azure Event Hubs Added ExistenceCondition in policy definitions ExistenceCondition detects if the resource you are trying to

Continue reading

New Azure Policy Definition: Deploy Microsoft IaaSAntimalware extension with custom configurations

Microsoft provides a built-in Azure Policy definition for deploying Windows Defender VM Extension. The name of this policy definition is Deploy default Microsoft IaaSAntimalware extension for Windows Server (id: /providers/Microsoft.Authorization/policyDefinitions/2835b622-407b-4114-9198-6f7064cbe0dc) This policy definition has many limitations: It does not support Windows 10 VMs It does not support custom VM images It does not support customization of the Windows Defender configurations (i.e. scan exclusions, etc.) I had a requirement to automatically deploy this VM extension with customised configuration. So I have re-written this policy, addressed all the limitations listed above. You can find it at my Azure Policy GitHub repo: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/deploy-windows-defender-vm-extension-custom-config.

Continue reading

New Azure Policy Definition: Deploy VM Shutdown Schedule

I wrote an Azure Policy definition few days ago, it deploys VM shutdown schedule together with VMs using deployIfNotExists effect. You can find it at my Azure Policy GitHub repo: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/deploy-vm-shutdown-schedule. This policy will be very useful when managing non-production workload. Input parameters: Deployed schedule:

Continue reading

Deploying Azure Policy Definitions via Azure DevOps (Part 3)

This is the 3rd and final installment of the 3-part blog series. You can find the other parts here: Part 1: Custom deployment scripts for policy and initiative definitions Part 2: Pester-test policy and initiative definitions in the build pipeline Part 3: Configuring build (CI) and release (CD) pipelines in Azure DevOps In this part, I will walk through how I configured the build and release pipelines for deploying policy and initiative definitions at scale. Pre-requisites The following pre-requisistes are required before start creating the pipelines: 1. Creating Azure AD Service Principals We need to create service principals in each

Continue reading

Deploying Azure Policy Definitions via Azure DevOps (Part 2)

This is the 2nd installment of the 3-part blog series. You can find the other parts here: Part 1: Custom deployment scripts for policy and initiative definitions Part 2: Pester-test policy and initiative definitions in the build pipeline Part 3: Configuring build (CI) and release (CD) pipelines in Azure DevOps In this part, I will walk through the PowerShell module I have developed to pester-test policy and initiative definitions. My intention is to uses these tests to perform syntax validation in the build pipeline, ensure all the definition files are valid before being deployed in the release pipelines. You can

Continue reading

Deploying Azure Policy Definitions via Azure DevOps (Part 1)

Introduction Recently I needed to deploy a large number of Azure policy and initiative definitions at customer’s environments using Azure DevOps. These definitions needed to be deployed to different environments (different Management Group hierarchies in different Azure AD Tenants). I faced some difficulties when working on this solution, due to the following limitations: 1. Currently templates do not support Management Groups So I can’t use ARM templates in this case. But, I still needed to develop a solution no matter where should the definitions being deployed (either to a management group or a subscription). 2. Limitations in Azure PowerShell cmdlet

Continue reading

Configuring Azure Resources Diagnostic Log Settings Using Azure Policy

In an Azure Policy definition, the “effect” section defines the behaviour of the policy if defined conditions are met. For example, the “Deny” effect will block the resource from being deployed in the first place, “Append” will add a set of properties to the resource you are deploying before being deployed by the ARM engine, and “DeployIfNotExists” deploys a resource if it does not already exist. In the old days, the biggest limitation I have faced was the use of “DeployIfNotExists” effect was only limited to built-in policies. In another word, If Microsoft hasn’t already created a policy for you,

Continue reading
%d bloggers like this: