Comments (9)
joshidp
commented on May 11, 2024
Can we have a deny policy for SQL Servers without aad admin user set?
Thanks
from azure-policy.
pilor
commented on May 11, 2024
Sorry, this request isn't clear. What resource property are you requesting to be exposed as a policy alias?
from azure-policy.
joshidp
commented on May 11, 2024
Hi Chris,
This request is for below set of properties under AzureSQL Server.
"type": "Microsoft.Sql/servers/administrators",
"properties": {
"administratorType": "ActiveDirectory",
"login": "[email protected]",
"sid": "xxxx--xxxx--xxxx",
"tenantId": "xxxx--xxxx--xxxx"
}
Thanks & Regards,
Deepak
from azure-policy.
pilor
commented on May 11, 2024
I will work with the SQL team to get these published
from azure-policy.
joshidp
commented on May 11, 2024
Thanks
from azure-policy.
pilor
commented on May 11, 2024
The following aliases are now available:
Microsoft.Sql/servers/administrators/administratorType
Microsoft.Sql/servers/administrators/login
icrosoft.Sql/servers/administrators/sid
Microsoft.Sql/servers/administrators/tenantId
from azure-policy.
hrboyceiii
commented on May 11, 2024
Is there a working example of this? I have a policy defined as such:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers/administrators"
},
{
"not": {
"field": "Microsoft.Sql/servers/administrators/administratorType",
"equals": "ActiveDirectory"
}
},
{
"not": {
"field": "Microsoft.Sql/servers/administrators/login",
"exists": true
}
},
{
"not": {
"field": "Microsoft.Sql/servers/administrators/sid",
"equals": "[parameters('administratorSid')]"
}
},
{
"not": {
"field": "Microsoft.Sql/servers/administrators/tenantId",
"equals": "[subscription().tenantId]"
}
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
Hard coding values for Tenant and Sid do nothing; meaning, if I set effect to Deny and I run an ARM Template, call Set-AzureRMSQLServerAzureActiveDirectoryAdministrator or manipulate the AAD Settings via the Portal, nothing happens with the policy. I don't see anything in the Activity Log on the resource group either.
Am I missing something?
from azure-policy.
hrboyceiii
commented on May 11, 2024
Update: taking from the AAD Admin sample which uses an AuditIfNotExists effect, I was able to get this to trigger non-compliance state.
Desired effect would be to enable a deny to prevent the resource from entering non-compliance. Is this possible?
Here's the AuditIfNotExists policy rule for reference:
{
"if": {
"field": "type",
"equals": "Microsoft.Sql/servers"
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Sql/servers/administrators",
"existenceCondition": {
"allOf": [
{
"not": {
"field": "Microsoft.Sql/servers/administrators/administratorType",
"equals": "ActiveDirectory"
}
},
{
"not": {
"field": "Microsoft.Sql/servers/administrators/login",
"exists": true
}
},
{
"not": {
"field": "Microsoft.Sql/servers/administrators/sid",
"equals": "[parameters('administratorSid')]"
}
},
{
"not": {
"field": "Microsoft.Sql/servers/administrators/tenantId",
"equals": "[subscription().tenantId]"
}
}
]
}
}
}
}
from azure-policy.
surenderssm
commented on May 11, 2024
@hrboyceiii I ended up visiting this item as I too wasted good number of hours in fixing one of the similar issue.
So there are two similar aliases Microsoft.Sql/servers/administrators/sid and Microsoft.Sql/servers/administrators/activeDirectory.sid.
Given your scenario, you should consider using Microsoft.Sql/servers/administrators/activeDirectory.sid instead of Microsoft.Sql/servers/administrators/sid
Following policy rule worked for me (yes it rejects the requests where admin is not from a predefined list).
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers/administrators"
},
{
"not": {
"field": "Microsoft.Sql/servers/administrators/activeDirectory.sid",
"in": "[parameters('approvedIdentityObjectIds')]"
}
}
]
},
"then": {
"effect": "deny"
}
}
from azure-policy.
Related Issues (20)
- Enabling AKS Azure Policy Addon when workload identity is enabled. Pods start showing error "Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request"
- NetworkSecurityGroup_FlowLog_Deploy.json - errors in Az Gov - resourceNotfound
- Broken link in AKS Safeguards policy
- Alias request: Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.patchSettings.patchMode and Microsoft.Compute/virtualMachines/osProfile.linuxConfiguration.patchSettings.patchMode HOT 3
- Policy "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters" refers to a role definitions which does not exists HOT 1
- Azure Policy does not support Red Hat 9.*
- VM Backup policies are missing Hotpatch image SKUs HOT 1
- Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint: Missing Image Offer HOT 1
- Configure Windows Machines to be associated with a Data Collection Rule or a Data Collection Endpoint: Add multiple dcrResourceIds
- Over-priviledged managed identity - role definition ID should be changed
- Over-priviledged managed identity - role definition ID should be changed
- "[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines" for a UAMI in another subscription
- Policy effect types are declared twice
- Storage accounts - cross tenant object replication policy should get updated to reflect the new behavior
- DiagSettings_logAnalytics_firewall_DINE should support structured logs
- [Preview]: Configure ChangeTracking Extension for Linux virtual machines: Azure Policy does not support Red Hat 9.*
- Azure Policy Rules do not support Management Groups
- Managed identity over-provisioning of RBAC role for policy 'Configure periodic checking for missing system updates on azure virtual machines'
- Setup subscriptions to transition to an alternative vulnerability assessment solution - contains hardcoded location eastus
- [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines - Permissions issue when scoped to resource group. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-policy.