last sync: 2021-Jan-20 16:06:14 UTC

Azure Policy definition

Service principals should be used to protect your subscriptions instead of management certificates

Name Service principals should be used to protect your subscriptions instead of management certificates
Azure Portal
Id 6646a0bd-e110-40ca-bb97-84fcee63c414
Version 1.0.0
details on versioning
Category Security Center
Microsoft docs
Description Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: AuditIfNotExists
Allowed: (AuditIfNotExists, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-09-09 11:24:03 add 6646a0bd-e110-40ca-bb97-84fcee63c414
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: Azure Security Benchmark v2 bb522ac1-bc39-4957-b194-429bcd3bcb0b Regulatory Compliance Preview
Enable Monitoring in Azure Security Center 1f3afdf9-d0c9-4c3d-847f-89da613e70a8 Security Center GA
Json
{
  "properties": {
    "displayName": "Service principals should be used to protect your subscriptions instead of management certificates",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise.",
    "metadata": {
      "version": "1.0.0",
      "category": "Security Center"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "AuditIfNotExists",
          "Disabled"
        ],
        "defaultValue": "AuditIfNotExists"
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "in": [
          "Microsoft.Resources/subscriptions"
        ]
      },
      "then": {
      "effect": "[parameters('effect')]",
        "details": {
          "type": "Microsoft.Security/assessments",
          "name": "2acd365d-e8b5-4094-bce4-244b7c51d67c",
          "existenceCondition": {
            "field": "Microsoft.Security/assessments/status.code",
            "in": [
              "NotApplicable",
              "Healthy"
            ]
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/6646a0bd-e110-40ca-bb97-84fcee63c414",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "6646a0bd-e110-40ca-bb97-84fcee63c414"
}