/
Azure Policies

Azure Policies

Owned by Vincent Balbarin
Oct 15, 2021
2 min read

Azure Policies ensure that resources created in Azure subscriptions linked to Yale University’s enrollment account and under the management of Cloud Support Service adhere to a university policy and governance.

Policy name

Description

Effect Selected at Application

Policy name

Description

Effect Selected at Application

Yale - New Windows Server Azure VMs should have the Azure Hybrid Benefit enabled

New Windows Azure VMs should have the Azure Hybrid Benefit enabled. This policy appends the `Windows_Server` license type value to applicable Windows Server instances upon creation. This policy also applies to Windows Server VMs not created from a marketplace image.

Append

Yale - Network interfaces should not have public IPs for specific VNETs

This policy denies the network interfaces which are configured with any public IP and are connected to one of the listed VNETs which are known to route to the Yale network.

Deny

Yale - Azure Web Apps should require https and a minimum TLS v1.2

This policy enforces that all web requests to Azure Web Apps must use https and TLS v1.2 or higher. It will configure new deployments to this standard and flag for review existing web apps in violation.

Append

Yale - Azure Storage accounts must require https and a minimum TLS v1.2 from clients

This policy enforces that all web requests to Azure Storage accounts use https and TLS v1.2 or higher. Storage accounts created in the Azure portal will have https and TLS v1.2 already set as default values. This policy will deny storage accounts created by the REST API calls or ARM templates that do not explicitly set these values.

Deny

Yale - Azure Resource groups should be tagged with OwnerDepartmentContact

Cost reports require that resource groups in Azure be labelled with the owner's department contact to resolve any billing issues. The policy may be set to audit or deny upon assignment.

Audit

Yale - Azure Resource groups should be tagged with ChargingAccount

Cost reports require that resource groups in Azure be labelled with the owner's charging account to resolve any billing issues. The policy may be set to audit or deny upon assignment.

Audit

Yale - Azure Resource groups should be tagged with Application

Cost reports require that resource groups in Azure be labelled with the application name to resolve any billing issues. The policy may be set to audit or deny upon assignment.

Audit

Yale - Allowable US Azure Regions for Azure Resources

This policy restricts the creation of Azure Resources to a select list of Azure Regions in the US Azure Geography. The policy may be set to audit or deny upon assignment.

Deny

Yale - Allowable US Azure Regions for Azure Resource Groups

This policy restricts the creation of Azure Resource Groups to a select list of Azure Regions in the US Azure Geography. The policy may be set to audit or deny upon assignment.

Deny





Related content

CMDB
CMDB
ServiceNow
Read with this
Shared Security Responsibility Model for Azure Access
Shared Security Responsibility Model for Azure Access
Cloud Support Service Documents
More like this
Shared Security Responsibility Model for Azure DevOps
Shared Security Responsibility Model for Azure DevOps
Cloud Support Service Documents
More like this