Special treatment of the ‘Type’ and ‘Name’ fields in Azure policy evaluation

October 7, 2019, 5:10 pm

≪ Previous: Assistance with Azure Policies

Many different fields can used to form logical conditions in Azure policy rules. The fields ‘Type’ and ‘Name’ are special because they are not only used as a logical condition to evaluate whether a resource is compliant or non-compliant against the policy, they are also used to determine whether a resource should be evaluated or not, that is whether the resource is applicable or not for the policy evaluation. According to Microsoft document “Get compliance data of Azure resources” (https://docs.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data):

“Azure Policy uses the type and name fields in the definition to determine if a resource is a match. When the resource matches, it's considered applicable and has a status of either Compliant or Non-compliant. If either type or name is the only property in the definition, then all resources are considered applicable and are evaluated.”

Suppose that there is a resource group containing a few of VMs, storage accounts, VNETs and some subnets. If the following policy rule is assigned to the resource group,

{

"mode": "All",

"policyRule": {

"if": {

"allOf": [

{

"field": "type",

"equals": "Microsoft.Compute/virtualMachines"

{

"not": {

"field": "tags[tag1]",

"equals": "tag-value1"

}

]

"then": {

"effect": "audit"

}

"parameters": {}

}

Only will the VMs of the group be applicable, evaluated and marked as complaint or non-complaint. Other resources like storage accounts, VNETs and subnets will NOT be evaluated.

If there is only one ‘Type’ field in the rule,

{

"mode": "All",

"policyRule": {

"if": {

"field": "type",

"equals": "Microsoft.Compute/virtualMachines"

"then": {

"effect": "Audit"

}

"parameters": {}

}

then all resources in the resource group will be applicable and evaluated. The VMs will be marked as non-compliant, while all other resources like storage accounts, VNETs and subnets will be marked as complaint.

In fact, the situation that all resources are applicable because “Type” or “Name” field is only property in the rule is just a special case. As long as the “Type” or “Name” field is not a necessary condition, then all resources in the policy scope will be applicable. For example, the following policy has two fields and is very similar to the first rule above but with the logical operator “anyOf” instead of “allOf”.

{

"mode": "All",

"policyRule": {

"if": {

"anyOf": [

{

"field": "type",

"equals": "Microsoft.Compute/virtualMachines"

{

"not": {

"field": "tags[tag1]",

"equals": "tag-value1"

}

]

"then": {

"effect": "audit"

}

"parameters": {}

}

In this case, all resources in the resource group are applicable and will be evaluated.

↧

Azure Tags Policy

October 8, 2019, 1:24 pm

≫ Next: Guest accounts in GOV Cloud?

≪ Previous: Special treatment of the ‘Type’ and ‘Name’ fields in Azure policy evaluation

Quick question,

Is there anyway to limit the policy definition "Require specified tag" to virtual machines only?

By default the definition applies to all resources within a resource group. I need narrow down the scope to VM's only.

↧

Guest accounts in GOV Cloud?

October 9, 2019, 10:13 am

≫ Next: Inactive Users Report for Azure Active Directory Applications

≪ Previous: Azure Tags Policy

Does anyone know if you Azure Government Cloud?

Nosh Mernacaj, Identity Management Specialist

↧

Inactive Users Report for Azure Active Directory Applications

October 10, 2019, 7:14 am

≫ Next: What Is The Best Way To Schedule a Task in Azure Portal?

≪ Previous: Guest accounts in GOV Cloud?

I have been trying to find a way to gather a report that is easy to get for an on-prem AD environment, but apparently not so easy for an Azure AD environment:

We have a number of users that sign into Azure Enteprise Applications, but do not use O365 products and do not log on to our on-prem domain. We are trying to find a way to run a report on users that have not logged into any Enterprise Applications in the past n months, in order to find stale accounts. A report that lists the last logon for all users would also be sufficient, but again it would need to be based on Azure application logins, not O365.

I have been checking 3rd party reporting tools but have only found reports for O365, not for Azure AD applications. Thank you in advance!

↧

What Is The Best Way To Schedule a Task in Azure Portal?

September 14, 2019, 9:11 pm

≫ Next: Can we query Log Analytics data from ADF??

≪ Previous: Inactive Users Report for Azure Active Directory Applications

I am trying to figure out what is an efficient way to run a scheduled task in Azure Portal? I need to call a web service endpoint every first of the month and wondering how can I achieve that?

↧

Can we query Log Analytics data from ADF??

October 10, 2019, 9:04 am

≫ Next: Azure PIM approval workflow

≪ Previous: What Is The Best Way To Schedule a Task in Azure Portal?

Hi All,

I have a use case to query log analytics tables from ADF.
Like lookup to connect to SQL Server/File system.

Is there a way where we can connect to Log Analytics and run a Kusto query?
Let me know if anyone has tried this.

Regards,
Pavan

↧

Azure PIM approval workflow

October 10, 2019, 8:29 pm

≫ Next: How to find completely unused, dead-end recourse groups?

≪ Previous: Can we query Log Analytics data from ADF??

I have tried to configure azure PIM however there is no request coming to anyone to approve request

For example

I have user john@domain.com and user bob@domain.com John is global administrator and bob is just reader

However Bob was assigned role to be Exchange administrator and bob can see that he is assigned that role.

Now bob wants to activate his role for one hour and he successfully does it however nobody gets request to approve it

What would be workflow so that global administrator gets notification to decide to approve or deny this request

There is no documentation how to establish that global admin or someone else gets this request and then approve or deny

I would expect that this role will require approval from somebody not just seat in user portal and someone would get e mail that they should approve and deny but no approval is granted

user bob can see that he is device administrator and exchange administrator however global admin or anyone else doesnt get any approval requests

Dalibor Bosic

↧

How to find completely unused, dead-end recourse groups?

October 11, 2019, 4:26 am

≫ Next: Can't delete old Cloud Service

≪ Previous: Azure PIM approval workflow

Hi there,

1. I guess that my subscription has some old and not used recourse groups. However, I'm not sure which ones really have no connections and activities anymore. Can anyone explain to me how I can find those recourse groups?

2. In the recourse groups that are in use, I sometimes have a tresor included as part of the group. How can I figure out, if this tresor is actually having any activity/traffic/etc. - or if it is just there but has "no job" to do?

Many thanks.

↧

Can't delete old Cloud Service

October 11, 2019, 9:55 am

≫ Next: License for Global Administrator in Azure

≪ Previous: How to find completely unused, dead-end recourse groups?

Hello!

I have recently migrated an old storage account from classic to ARM, and forgot it was used by an old Cloud Service VM (no warning from the portal here). Now there's no way to delete this VM because the portal says it's in an invalid state.

Any tips?

↧

License for Global Administrator in Azure

October 13, 2019, 8:01 am

≫ Next: Can you restrict dashboard alerts to certain hours? how?

≪ Previous: Can't delete old Cloud Service

I am wondering do i have license for global administrator in azure if Global Administrator doesnt need MFA Intune or other services but should be able to manage these services.

I would assume that i dont need license because Global Administrator will not receive services but just manage other users

Am I right or wrong

Dalibor Bosic

↧

Can you restrict dashboard alerts to certain hours? how?

May 14, 2019, 1:03 pm

≫ Next: Azure Policy for Resource Group Budgets

≪ Previous: License for Global Administrator in Azure

Hi,

We have alerts set up to notify us that a processor is exceeding the expected cpu usage.

However, during the night we run some batch jobs. So high usage is expected. I don't want to get the alerts when the batch jobs are running. Is there a way to eliminate certain hours from alert firing. For example, I'd like an alert to fire when the CPU % utilization is over 50% during the hours of 6:00 AM ET and 11:00 PM ET (i.e. not between the hours of 11:01 PM and 5:59 AM ET.

Thanks.

↧

Azure Policy for Resource Group Budgets

October 14, 2019, 11:54 pm

≫ Next: Your local network settings might be preventing the Query Editor from issuing queries. Please click here for instructions on how to configure your network settings.

≪ Previous: Can you restrict dashboard alerts to certain hours? how?

Hi,

I am looking at setting up budgets for all of my Resource Groups within my subscription and would like to make sure that all new Resource Groups will require a budget upon creation. Is there a policy that can be applied to ensure that a Resource Group needs a budget attached in order to be created, or a way of tracking what Resource Groups do not have a active budget? What is the best method of ensure that a active budget is applied to each Resource Group?

Any suggestions would be greatly appreciated.

Thanks

↧

Your local network settings might be preventing the Query Editor from issuing queries. Please click here for instructions on how to configure your network settings.

October 15, 2019, 3:02 pm

≫ Next: Hybrid joined devices marked without owner

≪ Previous: Azure Policy for Resource Group Budgets

Hello,

We've been using Azure for a little while and just recently have started to receive the following error message upon signing in:

Your local network settings might be preventing the Query Editor from issuing queries. Please click here for instructions on how to configure your network settings.

I have raised the matter with our internal IT team however they say it is a Microsoft Azure technical issue.

Has anyone experienced a similar problem before? And if so, what has been the resolution?

Thank you

↧

Hybrid joined devices marked without owner

October 16, 2019, 4:35 am

≫ Next: Auto-configure azure cloud shell

≪ Previous: Your local network settings might be preventing the Query Editor from issuing queries. Please click here for instructions on how to configure your network settings.

Hi,

So I have an older unresolved issue that has led to this new issue:

About 1,5 years ago we decided to get further into device management in our organization.

As we had already made the switch to the E3 solution we decided to roll with Intune.

Now in order to get this to work properly we had to convert our existing on-site solution to the Azure Hybrid solution (to my understanding).

I had finally got our Windows 10 devices to be registered as Azure AD registered, and got a Bitlocker policy running, and our users could log into their myapps portal and check their bitlocker key in case something fessed up. So far so good.

But our hybrid setup simply didn't work, and the devices never registered as hybrid joined, so we were kind of stuck, and due to a ton of other projects we shelved the hybrid project for another day.

Then half a year ago in april all new devices suddenly stopped being registered in Azure AD. I couldn't fnd an explanation to this, and got no response on my support request. But while troubleshooting I found the missing pieces to get our hybrid environment up and running, and after setting up the last part of the compliance policies I've also started to see new devices both as Azure AD registered and Hybrid joined, but the Azure registration just disappear once the hybrid join has finalized.

Now, the new issue is that the devices register without an owner, and thereby the users can't see the device from the myapps portal and access their bitlocker key.

We can, of course, provide it to them but why is this seen as a feature according to Microsoft instead of a bug??

↧

Auto-configure azure cloud shell

October 16, 2019, 7:04 am

≫ Next: Cloud shell (power shell/bash) - Failed to connect terminal: websocket cannot be established

≪ Previous: Hybrid joined devices marked without owner

I need that when new users open https://shell.azure.com/ the initial configuration does not have to be set. Is this possible?

All IMGs must be in a storage account that I want

How can I do it? Is there a powershell that I can run when a user needs to use cloudshell? Or which are the minimum permissions to give users for only can create their IMG in storage account that I want.

↧

Cloud shell (power shell/bash) - Failed to connect terminal: websocket cannot be established

October 16, 2019, 10:40 pm

≫ Next: Restoring Azure Notification HUB

≪ Previous: Auto-configure azure cloud shell

Failed to connect terminal: websocket cannot be established.

Your cloud drive has been created in:

Subscription Id: ********-*****-*****-**-*********
Resource group: az-migrate-assessment-rg
Storage account: cs18b160d2aad45x4ab6x867
File share: cs18b160d2aad45x4ab6x867

Initializing your account for Cloud Shell...\
Requesting a Cloud Shell.Succeeded.
Connecting terminal...

Failed to connect terminal: websocket cannot be established. Press "Enter" to reconnect.

↧

Restoring Azure Notification HUB

October 17, 2019, 5:40 am

≫ Next: Unable to see notifications in a notification column in Azure portal

≪ Previous: Cloud shell (power shell/bash) - Failed to connect terminal: websocket cannot be established

Unfortunately we have deleted notification hub from my account which is having 20,000 devices registered with that hub.

is it possible to restore it back again?

↧

Unable to see notifications in a notification column in Azure portal

October 16, 2019, 8:31 am

≫ Next: Identify unused resources

≪ Previous: Restoring Azure Notification HUB

I am not seeing any text/notification messages in my notification column in the portal.

I see 3 blinking dots.

I tried different browsers (incognito, edge, firefox.)

I reset my option to defaults and change themes, rebooted pc and tried on a different pc, still showing white blank background with 3 blinking dots.

I am able to see messages when using

Monitor - Activity log

option.

Experiencing this issue for the last 2 days (started around 10/14/19.

↧

Identify unused resources

October 18, 2019, 10:02 am

≫ Next: LB basic sku functionality and configuration in separate availability zones?

≪ Previous: Unable to see notifications in a notification column in Azure portal

Is there a way within Azure or a third party tool to better identify unused resources? I don't see anything off the bat that would be of help and could offer up cost savings.

↧

LB basic sku functionality and configuration in separate availability zones?

October 19, 2019, 11:23 am

≫ Next: azure terraform questions? are you able to answer basic questions.

≪ Previous: Identify unused resources

If we use basic sku LB which is free there is no option via ARM to add a certificate to this LB? Can I place a web certificate on each web server(s)?,... and does this LB automatically distribute traffic to the online server should the other server become offline?

We are assuming this is 3 web servers. Can we place each of these web servers in separate availability zones with one basic sku LB? Will using a standard sku LB make a difference in out scenario however this LB asks for a public IP??,... please confirm?

Also wondering if we should use scale sets and place a web server on separate availability zones? However scale sets also requires a LB. thinking we would like to use the basic LB since it is free,... would be recommend this?

dsk

↧