last sync: 2020-Oct-01 14:15:17 UTC

Azure Policy

Enable Automanage - Azure virtual machine best practices

Policy DisplayName Enable Automanage - Azure virtual machine best practices
Policy Id 270610db-8c04-438a-a739-e8e6745b22d3
Policy Category Automanage
Policy Description Automanage enrolls, configures, and monitors virtual machines with Azure VM best practice services. Use this policy to apply Automanage to your selected scope.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Fixed: deployIfNotExists
Roles used
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-09-15 14:06:41 add: Policy 270610db-8c04-438a-a739-e8e6745b22d3
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
    "displayName": "Enable Automanage - Azure virtual machine best practices",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Automanage enrolls, configures, and monitors virtual machines with Azure VM best practice services. Use this policy to apply Automanage to your selected scope.",
    "metadata": {
      "version": "1.0.0",
      "category": "Automanage"
    },
    "parameters": {
      "automanageAccount": {
        "type": "String",
        "metadata": {
          "displayName": "Automanage account",
          "description": "Select Automanage account from dropdown list. If this account is outside of the scope of the assignment you must manually grant 'Contributor' permissions (or similar) on the account to the policy assignment's principal ID.",
          "strongType": "Microsoft.Automanage/accounts",
          "assignPermissions": true
        }
      },
      "configurationProfileAssignment": {
        "type": "String",
        "metadata": {
          "displayName": "Configuration profile",
          "description": "The management services provided are based on whether the machine is intended to be used in a dev/test environment or production."
        },
        "allowedValues": [
          "Azure virtual machine best practices  Production",
          "Azure virtual machine best practices  Dev/test"
        ],
        "defaultValue": "Azure virtual machine best practices  Production"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "location",
            "in": [
              "eastus",
              "westus2",
              "westcentralus",
              "westeurope",
              "canadacentral"
            ]
          },
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/imagePublisher",
                "in": [
                  "esri",
                  "incredibuild",
                  "MicrosoftDynamicsAX",
                  "MicrosoftSharepoint",
                  "MicrosoftVisualStudio",
                  "MicrosoftWindowsDesktop",
                  "MicrosoftWindowsServerHPCPack"
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftWindowsServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageSKU",
                    "notLike": "2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "MicrosoftSQLServer"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "notLike": "SQL2008*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-dsvm"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "dsvm-windows"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "microsoft-ads"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "in": [
                      "standard-data-science-vm",
                      "windows-data-science-vm"
                    ]
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "batch"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "equals": "rendering-windows2016"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "center-for-internet-security-inc"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "cis-windows-server-201*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "pivotal"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "bosh-windows-server*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "field": "Microsoft.Compute/imagePublisher",
                    "equals": "cloud-infrastructure-services"
                  },
                  {
                    "field": "Microsoft.Compute/imageOffer",
                    "like": "ad*"
                  }
                ]
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration",
                        "exists": "true"
                      },
                      {
                        "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
                        "like": "Windows*"
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.Compute/imageSKU",
                        "exists": "false"
                      },
                      {
                        "allOf": [
                          {
                            "field": "Microsoft.Compute/imageSKU",
                            "notLike": "2008*"
                          },
                          {
                            "field": "Microsoft.Compute/imageOffer",
                            "notLike": "SQL2008*"
                          }
                        ]
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "type": "Microsoft.Automanage/configurationProfileAssignments",
          "name": "default",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Automanage/configurationProfileAssignments/configurationProfile",
              "equals": "[parameters('configurationProfileAssignment')]"
              },
              {
                "field": "Microsoft.Automanage/configurationProfileAssignments/accountId",
              "equals": "[parameters('automanageAccount')]"
              }
            ]
          },
          "deployment": {
            "properties": {
              "mode": "incremental",
              "parameters": {
                "machineName": {
                "value": "[field('Name')]"
                },
                "automanageAccount": {
                "value": "[parameters('automanageAccount')]"
                },
                "configurationProfileAssignment": {
                "value": "[parameters('configurationProfileAssignment')]"
                }
              },
              "template": {
                "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "machineName": {
                    "type": "String"
                  },
                  "automanageAccount": {
                    "type": "string"
                  },
                  "configurationProfileAssignment": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/providers/configurationProfileAssignments",
                    "apiVersion": "2020-06-30-preview",
                  "name": "[concat(parameters('machineName'), '/Microsoft.Automanage/', 'default')]",
                    "properties": {
                    "configurationProfile": "[parameters('configurationProfileAssignment')]",
                    "accountId": "[parameters('automanageAccount')]"
                    }
                  }
                ]
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/270610db-8c04-438a-a739-e8e6745b22d3",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "270610db-8c04-438a-a739-e8e6745b22d3"
}