last sync: 2021-Aug-04 14:59:26 UTC

Azure Policy definition

Azure Media Services content key policies should use token authentication

Name Azure Media Services content key policies should use token authentication
Azure Portal
Id daccf7e4-9808-470c-a848-1c5b582a1afb
Version 1.0.0
details on versioning
Category Media Services
Microsoft docs
Description Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Azure Active Directory.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-05-18 14:34:48 add daccf7e4-9808-470c-a848-1c5b582a1afb
Used in Initiatives none
JSON
{
  "properties": {
    "displayName": "Azure Media Services content key policies should use token authentication",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Content key policies define the conditions that must be met to access content keys. A token restriction ensures content keys can only be accessed by users that have valid tokens from an authentication service, for example Azure Active Directory.",
    "metadata": {
      "version": "1.0.0",
      "category": "Media Services"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      },
      "openIdConnectDiscoveryDocument": {
        "type": "String",
        "metadata": {
          "displayName": "OpenID Connect discovery document",
        "description": "The permitted OpenID Connect discovery document. When using Azure Active Directory, this would be similar to 'https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration', where {tenantId} is replaced with the tenant (directory) ID."
        }
      },
      "issuer": {
        "type": "String",
        "metadata": {
          "displayName": "Issuer",
        "description": "The permitted token issuer. When using Azure Active Directory, this would be similar to 'https://sts.windows.net/{tenantId}/', where {tenantId} is replaced with the tenant (directory) ID."
        }
      },
      "audience": {
        "type": "String",
        "metadata": {
          "displayName": "Audience",
          "description": "The permitted token audience. When using Azure Active Directory, this is the Application ID URI of the resource application."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Media/mediaservices/contentKeyPolicies"
          },
          {
            "count": {
            "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*]",
              "where": {
                "not": {
                  "allOf": [
                    {
                    "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction",
                      "exists": "true"
                    },
                    {
                    "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.restrictionTokenType",
                      "matchInsensitively": "Jwt"
                    },
                    {
                    "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.openIdConnectDiscoveryDocument",
                    "like": "[parameters('openIdConnectDiscoveryDocument')]"
                    },
                    {
                    "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.issuer",
                    "like": "[parameters('issuer')]"
                    },
                    {
                    "field": "Microsoft.Media/mediaServices/contentKeyPolicies/options[*].restriction.#Microsoft-Media-ContentKeyPolicyTokenRestriction.audience",
                    "like": "[parameters('audience')]"
                    }
                  ]
                }
              }
            },
            "greater": 0
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/daccf7e4-9808-470c-a848-1c5b582a1afb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "daccf7e4-9808-470c-a848-1c5b582a1afb"
}