As of writing this post (August 8th, 2019) there are 159 Azure Policies available and 111 are in preview (and 27 deprecated). In this post I try to come up with a decent set of ‘common sense’ policies that can prevent data leaks or other issues, I focus primarily on security-related policies. Some of them are so essential, that I would always recommend to enable them - some of them are very specific, so let us use the old consultant wisdom: “it depends”!
Azure Policies are the new silver bullet for all things governance: Last week (November 10, 2018) a new policy was introduced that can audit installed applications inside virtual machines (see intro post).
I wanted to know wether it is possible to detect software that should not be installed. Imagine you want to discover all servers where a specific version is installed that ran out of support. Or maybe a software that has not been approved yet. There are many of those scenarios.
The Azure Marketplace easily enables us to add new types of VMs to any Azure environment. Sometimes those VMs can have additional charges that were not approved. Sometimes those VMs come from a 3rd party source that was not approved. Unfortunately the Azure Marketplace can only be disabled or enabled for EA (Enterprise Agreement) customers according to the Marketplace FAQ, by now. This situation is far from ideal from a governance perspective.
In this post I will show you how to use the Azure Policy service to audit or even deny the creation of those VMs.