Skip to content

Policy Catalog

Compute Guardrails (6 policies — MG scope)

#	Name	Display Name	Effect	Description
1	`smb-compute-01`	Allowed VM SKUs	Deny	Restrict to B-series and D/E v5/v6 SKUs
2	`smb-compute-02`	No Public IPs on NICs	Deny	Prevent public IPs on VM network interfaces
3	`smb-compute-03`	Audit Managed Disks	Audit	Audit VMs that do not use managed disks
4	`smb-compute-04`	Audit ARM VMs	Audit	Audit VMs using classic deployment model
5	`smb-compute-05`	Audit System Updates	Audit	Audit VMs missing system updates
6	`smb-compute-06`	Audit Endpoint Protection	Audit	Audit VMs without endpoint protection

Network Guardrails (5 policies — MG scope)

#	Name	Display Name	Effect	Description
7	`smb-network-01`	NSG on Subnets	Audit	Audit subnets without an NSG
8	`smb-network-02`	Close Management Ports	Audit	Audit VMs with ports 22/3389 exposed
9	`smb-network-03`	Restrict NSG Ports	Audit	Audit NSG rules allowing unrestricted access
10	`smb-network-04`	Disable IP Forwarding	Deny	Block IP forwarding on NICs
11	`smb-network-05`	Audit NSG Flow Logs	Audit	Audit NSGs without flow logs configured

Storage Guardrails (5 policies — MG scope)

#	Name	Display Name	Effect	Description
12	`smb-storage-01`	Storage HTTPS Only	Deny	Require HTTPS on storage accounts
13	`smb-storage-02`	No Public Blob Access	Deny	Deny public blob access
14	`smb-storage-03`	Storage TLS 1.2	Deny	Deny storage accounts with TLS below 1.2
15	`smb-storage-04`	Restrict Storage Network	Audit	Audit unrestricted network access
16	`smb-storage-05`	Storage ARM Migration	Audit	Audit classic storage accounts

Identity & Access (4 policies — MG scope)

#	Name	Display Name	Effect	Description
17	`smb-identity-01`	SQL Azure AD Only Auth	Audit	Audit SQL servers not using Azure AD-only auth
18	`smb-identity-02`	SQL No Public Access	Audit	Audit SQL servers with public network access
19	`smb-identity-03`	Audit MFA for Owners	Audit	Audit owner accounts without MFA
20	`smb-identity-04`	Audit Blocked Accounts	Audit	Audit blocked accounts with read/write permissions

Key Vault (7 policies — MG scope)

#	Name	Display Name	Effect	Description
21	`smb-kv-01`	Key Vault Soft Delete	Audit	Audit Key Vaults without soft delete
22	`smb-kv-02`	Key Vault Purge Protection	Audit	Audit Key Vaults without purge protection
23	`smb-kv-03`	Key Vault RBAC	Audit	Audit Key Vaults not using RBAC
24	`smb-kv-04`	Key Vault No Public Network	Audit	Audit public network access
25	`smb-kv-05`	Key Vault Secrets Expiration	Audit	Audit secrets without expiration dates
26	`smb-kv-06`	Key Vault Keys Expiration	Audit	Audit keys without expiration dates
27	`smb-kv-07`	Key Vault Resource Logs	Audit	Audit Key Vaults without resource logs

Tagging (2 policies — MG scope)

#	Name	Display Name	Effect	Description
28	`smb-tagging-01`	Require Environment Tag	Deny	Block resources without Environment tag
29	`smb-tagging-02`	Require Owner Tag	Deny	Block resources without Owner tag

Monitoring (1 policy — MG scope)

#	Name	Display Name	Effect	Description
30	`smb-monitoring-01`	Diagnostic Settings Required	Audit	Audit resources without diagnostic settings

Subscription-Scoped Policies (4 policies)

These policies require subscription-level resources (backup vault ID, budget, Defender) and cannot be assigned at MG scope.

#	Name	Display Name	Effect	Scope	Description
31	`smb-backup-01`	VM Backup Required	Audit	MG	Audit VMs without backup configured
32	`smb-backup-02`	VM Backup Auto-Enroll	DeployIfNotExists	Subscription	Auto-enroll VMs tagged `Backup: true`
33	`smb-backup-03`	Audit Storage Geo-Redundancy	Audit	MG	Audit storage not using geo-redundant storage
34	`smb-governance-01`	Allowed Locations	Deny	MG	Restrict to swedencentral, germanywestcentral, global

Summary

Category	Deny	Audit	DINE	Total
Compute	2	4	0	6
Network	1	4	0	5
Storage	3	2	0	5
Identity	0	4	0	4
Key Vault	0	7	0	7
Tagging	2	0	0	2
Monitoring	0	1	0	1
Backup	0	2	1	3
Governance	1	0	0	1
Total	9	24	1	34