last sync: 2021-Oct-15 16:53:12 UTC

Azure Policy definition

Configure Batch accounts to disable local authentication

Name Configure Batch accounts to disable local authentication
Azure Portal
Id 4dbc2f5c-51cf-4e38-9179-c7028eed2274
Version 1.0.0
details on versioning
Category Batch
Microsoft docs
Description Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Modify
Allowed: (Modify, Disabled)
Used RBAC Role
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-09 19:32:42 add 4dbc2f5c-51cf-4e38-9179-c7028eed2274
Used in Initiatives none
JSON
{
  "displayName": "Configure Batch accounts to disable local authentication",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "Disable location authentication methods so that your Batch accounts require Azure Active Directory identities exclusively for authentication. Learn more at: https://aka.ms/batch/auth.",
  "metadata": {
    "version": "1.0.0",
    "category": "Batch"
  },
  "parameters": {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "Modify",
        "Disabled"
      ],
      "defaultValue": "Modify"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Batch/batchAccounts"
        },
        {
          "anyOf": [
            {
              "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes",
              "exists": "false"
            },
            {
              "count": {
                "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]",
                "where": {
                  "not": {
                    "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes[*]",
                    "equals": "AAD"
                  }
                }
              },
              "greater": 0
            }
          ]
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "conflictEffect": "audit",
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
        ],
        "operations": [
          {
            "condition": "[greaterOrEquals(requestContext().apiVersion, '2021-06-01')]",
            "operation": "addOrReplace",
            "field": "Microsoft.Batch/batchAccounts/allowedAuthenticationModes",
            "value": [
              "AAD"
            ]
          }
        ]
      }
    }
  }
}