AzPolicyAdvertizer

last sync: 2021-Sep-24 16:09:49 UTC

Azure Policy definition

Certificates should be issued by the specified integrated certificate authority

Name Certificates should be issued by the specified integrated certificate authority
Azure Portal
Id 8e826246-c976-48f6-b03e-619bb92b3d82
Version 2.0.1
details on versioning
Category Key Vault
Microsoft docs
Description Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign.
Mode Microsoft.KeyVault.Data
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: audit
Allowed: (audit, deny, disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-08-30 14:27:30 change Patch, old suffix: preview (2.0.0-preview > 2.0.1)
2020-09-02 14:03:46 change Previous DisplayName: [Preview]: Manage certificates issued by an integrated CA
2019-11-19 11:26:09 change Previous DisplayName: [Preview]: Certificates should be issued by an approved Azure Key Vault supported Certificate Authority provider
Used in Initiatives none
JSON Changes

JSON 
{
  "displayName": "Certificates should be issued by the specified integrated certificate authority",
  "policyType": "BuiltIn",
  "mode": "Microsoft.KeyVault.Data",
  "description": "Manage your organizational compliance requirements by specifying the Azure integrated certificate authorities that can issue certificates in your key vault such as Digicert or GlobalSign.",
  "metadata": {
    "version": "2.0.1",
    "category": "Key Vault"
  },
  "parameters": {
    "allowedCAs": {
      "type": "Array",
      "metadata": {
        "displayName": "Allowed Azure Key Vault Supported CAs",
        "description": "The list of allowed certificate authorities supported by Azure Key Vault."
      },
      "allowedValues": [
        "DigiCert",
        "GlobalSign"
      ],
      "defaultValue": [
        "DigiCert",
        "GlobalSign"
      ]
    },
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "'Audit' allows a non-compliant resource to be created, but flags it as non-compliant. 'Deny' blocks the resource creation. 'Disable' turns off the policy."
      },
      "allowedValues": [
        "audit",
        "deny",
        "disabled"
      ],
      "defaultValue": "audit"
    }
  },
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.KeyVault.Data/vaults/certificates"
        },
        {
          "field": "Microsoft.KeyVault.Data/vaults/certificates/issuer.name",
          "notIn": "[parameters('allowedCAs')]"
        }
      ]
    },
    "then": {
      "effect": "[parameters('effect')]"
    }
  }
}