last sync: 2025-Jul-23 17:34:54 UTC
Monitoring
[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace
Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.
ALZ
False
2024-06-03
1.1.0-deprecated
n/a
AzureCloud:true
AzureChinaCloud:true
AzureUSGovernment:true
AzureChinaCloud:true
AzureUSGovernment:true
Deprecated
Indexed
allowed: 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 2 RBAC Role(s):
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
• Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa)
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
• Monitoring Contributor (749f88d5-cbae-40b8-bcfc-e573ddc772fa)
Used in 1 Policy Set(s):
• [Deprecated]: Deploy Diagnostic Settings to Azure Services (Deploy-Diagnostics-LogAnalytics) [Monitoring] ALZ
Uses 3 Fx/Operator(s):
• concat()
• field()
• parameters()
• concat()
• field()
• parameters()
if (1)
• 'microsoft.dbformysql/servers'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"policyType": "Custom",
"mode": "Indexed",
"displayName": "[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace",
"description": "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.",
"metadata": {
"deprecated": true,
"version": "1.1.0-deprecated",
"category": "Monitoring",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Log Analytics workspace",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"strongType": "omsWorkspace"
}
},
"effect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
}
},
"profileName": {
"type": "String",
"defaultValue": "setbypolicy",
"metadata": {
"displayName": "Profile name",
"description": "The diagnostic settings profile name"
}
},
"metricsEnabled": {
"type": "String",
"defaultValue": "True",
"allowedValues": [
"True",
"False"
],
"metadata": {
"displayName": "Enable metrics",
"description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
}
},
"logsEnabled": {
"type": "String",
"defaultValue": "True",
"allowedValues": [
"True",
"False"
],
"metadata": {
"displayName": "Enable logs",
"description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[parameters('profileName')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "true"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalytics')]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"logAnalytics": {
"type": "String"
},
"location": {
"type": "String"
},
"profileName": {
"type": "String"
},
"metricsEnabled": {
"type": "String"
},
"logsEnabled": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"workspaceId": "[parameters('logAnalytics')]",
"metrics": [
{
"category": "AllMetrics",
"enabled": "[parameters('metricsEnabled')]",
"retentionPolicy": {
"days": 0,
"enabled": false
},
"timeGrain": null
}
],
"logs": [
{
"category": "MySqlSlowLogs",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "MySqlAuditLogs",
"enabled": "[parameters('logsEnabled')]"
}
]
}
}
],
"outputs": {}
},
"parameters": {
"logAnalytics": {
"value": "[parameters('logAnalytics')]"
},
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
},
"profileName": {
"value": "[parameters('profileName')]"
},
"metricsEnabled": {
"value": "[parameters('metricsEnabled')]"
},
"logsEnabled": {
"value": "[parameters('logsEnabled')]"
}
}
}
}
}
}
}
}{"policyType":"Custom","mode":"Indexed","displayName":"[Deprecated]: Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace","description":"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. This policy is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.","metadata":{"deprecated":true,"version":"1.1.0-deprecated","category":"Monitoring","source":"https://github.com/Azure/Enterprise-Scale/","alzCloudEnvironments":["AzureCloud","AzureChinaCloud","AzureUSGovernment"]},"parameters":{"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics workspace","description":"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.","strongType":"omsWorkspace"}},"effect":{"type":"String","defaultValue":"DeployIfNotExists","allowedValues":["DeployIfNotExists","Disabled"],"metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"}},"profileName":{"type":"String","defaultValue":"setbypolicy","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"}},"metricsEnabled":{"type":"String","defaultValue":"True","allowedValues":["True","False"],"metadata":{"displayName":"Enable metrics","description":"Whether to enable metrics stream to the Log Analytics workspace - True or False"}},"logsEnabled":{"type":"String","defaultValue":"True","allowedValues":["True","False"],"metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Log Analytics workspace - True or False"}}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforMySQL/servers"},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters('profileName')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"true"},{"field":"Microsoft.Insights/diagnosticSettings/workspaceId","equals":"[parameters('logAnalytics')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"Incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"String"},"logAnalytics":{"type":"String"},"location":{"type":"String"},"profileName":{"type":"String"},"metricsEnabled":{"type":"String"},"logsEnabled":{"type":"String"}},"variables":{},"resources":[{"type":"Microsoft.DBforMySQL/servers/providers/diagnosticSettings","apiVersion":"2017-05-01-preview","name":"[concat(parameters('resourceName'),'/','Microsoft.Insights/',parameters('profileName'))]","location":"[parameters('location')]","dependsOn":[],"properties":{"workspaceId":"[parameters('logAnalytics')]","metrics":[{"category":"AllMetrics","enabled":"[parameters('metricsEnabled')]","retentionPolicy":{"days":0,"enabled":false},"timeGrain":null}],"logs":[{"category":"MySqlSlowLogs","enabled":"[parameters('logsEnabled')]"},{"category":"MySqlAuditLogs","enabled":"[parameters('logsEnabled')]"}]}}],"outputs":{}},"parameters":{"logAnalytics":{"value":"[parameters('logAnalytics')]"},"location":{"value":"[field('location')]"},"resourceName":{"value":"[field('name')]"},"profileName":{"value":"[parameters('profileName')]"},"metricsEnabled":{"value":"[parameters('metricsEnabled')]"},"logsEnabled":{"value":"[parameters('logsEnabled')]"}}}}}}}}Monitoring
Deploy Diagnostic Settings for Database for MySQL to Event Hub
Deploys the diagnostic settings for Database for MySQL to stream to a Event Hub when any Database for MySQL which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.
Community
False
1.0.0
n/a
AzureCloud:true
AzureChinaCloud:n/a
AzureUSGovernment:n/a
AzureChinaCloud:n/a
AzureUSGovernment:n/a
GA
Indexed
allowed: 'AuditIfNotExists', 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 2 RBAC Role(s):
• Azure Event Hubs Data Owner (f526a384-b230-433a-b45c-95f59c4a2dec)
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
• Azure Event Hubs Data Owner (f526a384-b230-433a-b45c-95f59c4a2dec)
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
Uses 3 Fx/Operator(s):
• concat()
• field()
• parameters()
• concat()
• field()
• parameters()
if (1)
• 'microsoft.dbformysql/servers'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Deploy Diagnostic Settings for Database for MySQL to Event Hub",
"description": "Deploys the diagnostic settings for Database for MySQL to stream to a Event Hub when any Database for MySQL which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.",
"metadata": {
"version": "1.0.0",
"category": "Monitoring"
},
"mode": "Indexed",
"parameters": {
"eventHubRuleId": {
"type": "String",
"metadata": {
"displayName": "Event Hub Authorization Rule Id",
"description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
"strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
"assignPermissions": true
}
},
"eventHubName": {
"type": "String",
"metadata": {
"displayName": "Event Hub Name",
"description": "Specify the name of the Event Hub"
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"profileName": {
"type": "String",
"metadata": {
"displayName": "Profile name",
"description": "The diagnostic settings profile name"
},
"defaultValue": "setbypolicy_EH"
},
"metricsEnabled": {
"type": "String",
"metadata": {
"displayName": "Enable metrics",
"description": "Whether to enable metrics stream to the Event Hub - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "False"
},
"logsEnabled": {
"type": "String",
"metadata": {
"displayName": "Enable logs",
"description": "Whether to enable logs stream to the Event Hub - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
},
"eventHubLocation": {
"type": "String",
"metadata": {
"displayName": "Event Hub Location",
"description": "Resource Location must be in the same location as the Event Hub Namespace.",
"strongType": "location"
},
"allowedValues": [
"swedencentral",
"westeurope"
],
"defaultValue": "westeurope"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
{
"anyOf": [
{
"value": "[parameters('eventHubLocation')]",
"equals": ""
},
{
"field": "location",
"equals": "[parameters('eventHubLocation')]"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[parameters('profileName')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "[parameters('logsEnabled')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "[parameters('metricsEnabled')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId",
"matchInsensitively": "[parameters('eventHubRuleId')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubName",
"matchInsensitively": "[parameters('eventHubName')]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"eventHubRuleId": {
"type": "string"
},
"eventHubName": {
"type": "string"
},
"location": {
"type": "String"
},
"profileName": {
"type": "String"
},
"metricsEnabled": {
"type": "String"
},
"logsEnabled": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
"eventHubName": "[parameters('eventHubName')]",
"metrics": [
{
"category": "AllMetrics",
"enabled": "[parameters('metricsEnabled')]",
"retentionPolicy": {
"days": 0,
"enabled": false
},
"timeGrain": null
}
],
"logs": [
{
"categoryGroup": "allLogs",
"enabled": "[parameters('logsEnabled')]"
}
]
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Database for MySQL (Microsoft.DBforMySQL/servers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]"
}
}
},
"parameters": {
"eventHubRuleId": {
"value": "[parameters('eventHubRuleId')]"
},
"eventHubName": {
"value": "[parameters('eventHubName')]"
},
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
},
"profileName": {
"value": "[parameters('profileName')]"
},
"metricsEnabled": {
"value": "[parameters('metricsEnabled')]"
},
"logsEnabled": {
"value": "[parameters('logsEnabled')]"
}
}
}
}
}
}
}
}{"displayName":"Deploy Diagnostic Settings for Database for MySQL to Event Hub","description":"Deploys the diagnostic settings for Database for MySQL to stream to a Event Hub when any Database for MySQL which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.","metadata":{"version":"1.0.0","category":"Monitoring"},"mode":"Indexed","parameters":{"eventHubRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"eventHubName":{"type":"String","metadata":{"displayName":"Event Hub Name","description":"Specify the name of the Event Hub"}},"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","AuditIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"profileName":{"type":"String","metadata":{"displayName":"Profile name","description":"The diagnostic settings profile name"},"defaultValue":"setbypolicy_EH"},"metricsEnabled":{"type":"String","metadata":{"displayName":"Enable metrics","description":"Whether to enable metrics stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"False"},"logsEnabled":{"type":"String","metadata":{"displayName":"Enable logs","description":"Whether to enable logs stream to the Event Hub - True or False"},"allowedValues":["True","False"],"defaultValue":"True"},"eventHubLocation":{"type":"String","metadata":{"displayName":"Event Hub Location","description":"Resource Location must be in the same location as the Event Hub Namespace.","strongType":"location"},"allowedValues":["swedencentral","westeurope"],"defaultValue":"westeurope"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"anyOf":[{"value":"[parameters('eventHubLocation')]","equals":""},{"field":"location","equals":"[parameters('eventHubLocation')]"}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Insights/diagnosticSettings","name":"[parameters('profileName')]","existenceCondition":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs.enabled","equals":"[parameters('logsEnabled')]"},{"field":"Microsoft.Insights/diagnosticSettings/metrics.enabled","equals":"[parameters('metricsEnabled')]"},{"field":"Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId","matchInsensitively":"[parameters('eventHubRuleId')]"},{"field":"Microsoft.Insights/diagnosticSettings/eventHubName","matchInsensitively":"[parameters('eventHubName')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec","/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"Incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"String"},"eventHubRuleId":{"type":"string"},"eventHubName":{"type":"string"},"location":{"type":"String"},"profileName":{"type":"String"},"metricsEnabled":{"type":"String"},"logsEnabled":{"type":"String"}},"variables":{},"resources":[{"type":"Microsoft.DBforMySQL/servers/providers/diagnosticSettings","apiVersion":"2021-05-01-preview","name":"[concat(parameters('resourceName'),'/','Microsoft.Insights/',parameters('profileName'))]","location":"[parameters('location')]","dependsOn":[],"properties":{"eventHubAuthorizationRuleId":"[parameters('eventHubRuleId')]","eventHubName":"[parameters('eventHubName')]","metrics":[{"category":"AllMetrics","enabled":"[parameters('metricsEnabled')]","retentionPolicy":{"days":0,"enabled":false},"timeGrain":null}],"logs":[{"categoryGroup":"allLogs","enabled":"[parameters('logsEnabled')]"}]}}],"outputs":{"policy":{"type":"string","value":"[concat('Diagnostic setting ',parameters('profileName'),' for type Database for MySQL (Microsoft.DBforMySQL/servers),resourceName ',parameters('resourceName'),' to EventHub ',parameters('eventHubRuleId'),':',parameters('eventHubName'),' configured')]"}}},"parameters":{"eventHubRuleId":{"value":"[parameters('eventHubRuleId')]"},"eventHubName":{"value":"[parameters('eventHubName')]"},"location":{"value":"[field('location')]"},"resourceName":{"value":"[field('name')]"},"profileName":{"value":"[parameters('profileName')]"},"metricsEnabled":{"value":"[parameters('metricsEnabled')]"},"logsEnabled":{"value":"[parameters('logsEnabled')]"}}}}}}}}Monitoring
Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub
Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers).
BuiltIn
False
2024-04-29
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'AuditIfNotExists', 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 2 RBAC Role(s):
• Azure Event Hubs Data Owner (f526a384-b230-433a-b45c-95f59c4a2dec)
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
• Azure Event Hubs Data Owner (f526a384-b230-433a-b45c-95f59c4a2dec)
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
Used in 1 Policy Set(s):
• Enable allLogs category group resource logging for supported resources to Event Hub (85175a36-2f12-419a-96b4-18d5b0096531) [Monitoring] BuiltIn
Uses 6 Fx/Operator(s):
• concat()
• count()
• equals()
• field()
• parameters()
• where()
• concat()
• count()
• equals()
• field()
• parameters()
• where()
thenExistenceCondition (5)
• 'Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId' (ref)
• 'Microsoft.Insights/diagnosticSettings/eventHubName' (ref)
• 'Microsoft.Insights/diagnosticSettings/logs[*]' (ref)
• 'Microsoft.Insights/diagnosticSettings/logs[*].enabled' (ref)
• 'microsoft.insights/diagnosticSettings/logs[*].categoryGroup' (ref)
if (1)
• 'microsoft.dbformysql/servers'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers).",
"metadata": {
"category": "Monitoring",
"version": "1.0.0"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"diagnosticSettingName": {
"type": "String",
"metadata": {
"displayName": "Diagnostic Setting Name",
"description": "Diagnostic Setting Name"
},
"defaultValue": "setByPolicy-EventHub"
},
"categoryGroup": {
"type": "String",
"metadata": {
"displayName": "Category Group",
"description": "Diagnostic category group - none, audit, or allLogs."
},
"allowedValues": [
"audit",
"allLogs"
],
"defaultValue": "audit"
},
"resourceLocation": {
"type": "String",
"metadata": {
"displayName": "Resource Location",
"description": "Resource Location must be in the same location as the Event Hub Namespace.",
"strongType": "location"
}
},
"eventHubAuthorizationRuleId": {
"type": "String",
"metadata": {
"displayName": "Event Hub Authorization Rule Id",
"description": "Event Hub Authorization Rule Id - the authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
"strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
"assignPermissions": true
}
},
"eventHubName": {
"type": "String",
"metadata": {
"displayName": "Event Hub Name",
"description": "Event Hub Name."
},
"defaultValue": "Monitoring"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "microsoft.dbformysql/servers"
},
{
"field": "location",
"equals": "[parameters('resourceLocation')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"evaluationDelay": "AfterProvisioning",
"existenceCondition": {
"allOf": [
{
"count": {
"field": "Microsoft.Insights/diagnosticSettings/logs[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[equals(parameters('categoryGroup'), 'allLogs')]"
},
{
"field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup",
"equals": "allLogs"
}
]
}
},
"equals": 1
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId",
"equals": "[parameters('eventHubAuthorizationRuleId')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubName",
"equals": "[parameters('eventHubName')]"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"diagnosticSettingName": {
"type": "string"
},
"categoryGroup": {
"type": "String"
},
"eventHubName": {
"type": "string"
},
"eventHubAuthorizationRuleId": {
"type": "string"
},
"resourceLocation": {
"type": "string"
},
"resourceName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "microsoft.dbformysql/servers/providers/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]",
"location": "[parameters('resourceLocation')]",
"properties": {
"eventHubName": "[parameters('eventHubName')]",
"eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleId')]",
"logs": [
{
"categoryGroup": "allLogs",
"enabled": "[equals(parameters('categoryGroup'), 'allLogs')]"
}
],
"metrics": []
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Azure Database for MySQL servers (microsoft.dbformysql/servers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubAuthorizationRuleId'), ':', parameters('eventHubName'), ' configured')]"
}
}
},
"parameters": {
"diagnosticSettingName": {
"value": "[parameters('diagnosticSettingName')]"
},
"categoryGroup": {
"value": "[parameters('categoryGroup')]"
},
"eventHubName": {
"value": "[parameters('eventHubName')]"
},
"eventHubAuthorizationRuleId": {
"value": "[parameters('eventHubAuthorizationRuleId')]"
},
"resourceLocation": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
}
}
}
}
}
}
}
}{"displayName":"Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Event Hub","policyType":"BuiltIn","mode":"Indexed","description":"Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Azure Database for MySQL servers (microsoft.dbformysql/servers).","metadata":{"category":"Monitoring","version":"1.0.0"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","AuditIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"diagnosticSettingName":{"type":"String","metadata":{"displayName":"Diagnostic Setting Name","description":"Diagnostic Setting Name"},"defaultValue":"setByPolicy-EventHub"},"categoryGroup":{"type":"String","metadata":{"displayName":"Category Group","description":"Diagnostic category group - none,audit,or allLogs."},"allowedValues":["audit","allLogs"],"defaultValue":"audit"},"resourceLocation":{"type":"String","metadata":{"displayName":"Resource Location","description":"Resource Location must be in the same location as the Event Hub Namespace.","strongType":"location"}},"eventHubAuthorizationRuleId":{"type":"String","metadata":{"displayName":"Event Hub Authorization Rule Id","description":"Event Hub Authorization Rule Id - the authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}","strongType":"Microsoft.EventHub/Namespaces/AuthorizationRules","assignPermissions":true}},"eventHubName":{"type":"String","metadata":{"displayName":"Event Hub Name","description":"Event Hub Name."},"defaultValue":"Monitoring"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.dbformysql/servers"},{"field":"location","equals":"[parameters('resourceLocation')]"}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Insights/diagnosticSettings","evaluationDelay":"AfterProvisioning","existenceCondition":{"allOf":[{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].enabled","equals":"[equals(parameters('categoryGroup'),'allLogs')]"},{"field":"microsoft.insights/diagnosticSettings/logs[*].categoryGroup","equals":"allLogs"}]}},"equals":1},{"field":"Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId","equals":"[parameters('eventHubAuthorizationRuleId')]"},{"field":"Microsoft.Insights/diagnosticSettings/eventHubName","equals":"[parameters('eventHubName')]"}]},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293","/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"diagnosticSettingName":{"type":"string"},"categoryGroup":{"type":"String"},"eventHubName":{"type":"string"},"eventHubAuthorizationRuleId":{"type":"string"},"resourceLocation":{"type":"string"},"resourceName":{"type":"string"}},"variables":{},"resources":[{"type":"microsoft.dbformysql/servers/providers/diagnosticSettings","apiVersion":"2021-05-01-preview","name":"[concat(parameters('resourceName'),'/','Microsoft.Insights/',parameters('diagnosticSettingName'))]","location":"[parameters('resourceLocation')]","properties":{"eventHubName":"[parameters('eventHubName')]","eventHubAuthorizationRuleId":"[parameters('eventHubAuthorizationRuleId')]","logs":[{"categoryGroup":"allLogs","enabled":"[equals(parameters('categoryGroup'),'allLogs')]"}],"metrics":[]}}],"outputs":{"policy":{"type":"string","value":"[concat('Diagnostic setting ',parameters('diagnosticSettingName'),' for type Azure Database for MySQL servers (microsoft.dbformysql/servers),resourceName ',parameters('resourceName'),' to EventHub ',parameters('eventHubAuthorizationRuleId'),':',parameters('eventHubName'),' configured')]"}}},"parameters":{"diagnosticSettingName":{"value":"[parameters('diagnosticSettingName')]"},"categoryGroup":{"value":"[parameters('categoryGroup')]"},"eventHubName":{"value":"[parameters('eventHubName')]"},"eventHubAuthorizationRuleId":{"value":"[parameters('eventHubAuthorizationRuleId')]"},"resourceLocation":{"value":"[field('location')]"},"resourceName":{"value":"[field('name')]"}}}}}}}}Monitoring
Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics
Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers).
BuiltIn
False
2024-04-29
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'AuditIfNotExists', 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
Used in 1 Policy Set(s):
• Enable allLogs category group resource logging for supported resources to Log Analytics (0884adba-2312-4468-abeb-5422caed1038) [Monitoring] BuiltIn
Uses 7 Fx/Operator(s):
• concat()
• count()
• equals()
• field()
• first()
• parameters()
• where()
• concat()
• count()
• equals()
• field()
• first()
• parameters()
• where()
if (1)
• 'microsoft.dbformysql/servers'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers).",
"metadata": {
"category": "Monitoring",
"version": "1.0.0"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"diagnosticSettingName": {
"type": "String",
"metadata": {
"displayName": "Diagnostic Setting Name",
"description": "Diagnostic Setting Name"
},
"defaultValue": "setByPolicy-LogAnalytics"
},
"categoryGroup": {
"type": "String",
"metadata": {
"displayName": "Category Group",
"description": "Diagnostic category group - none, audit, or allLogs."
},
"allowedValues": [
"audit",
"allLogs"
],
"defaultValue": "audit"
},
"resourceLocationList": {
"type": "Array",
"metadata": {
"displayName": "Resource Location List",
"description": "Resource Location List to send logs to nearby Log Analytics. A single entry \"*\" selects all locations (default)."
},
"defaultValue": [
"*"
]
},
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Log Analytics Workspace",
"description": "Log Analytics Workspace",
"strongType": "omsWorkspace",
"assignPermissions": true
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "microsoft.dbformysql/servers"
},
{
"anyOf": [
{
"value": "[first(parameters('resourceLocationList'))]",
"equals": "*"
},
{
"field": "location",
"in": "[parameters('resourceLocationList')]"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"evaluationDelay": "AfterProvisioning",
"existenceCondition": {
"allOf": [
{
"count": {
"field": "Microsoft.Insights/diagnosticSettings/logs[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[equals(parameters('categoryGroup'), 'allLogs')]"
},
{
"field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup",
"equals": "allLogs"
}
]
}
},
"equals": 1
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalytics')]"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"diagnosticSettingName": {
"type": "string"
},
"logAnalytics": {
"type": "string"
},
"categoryGroup": {
"type": "String"
},
"resourceName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "microsoft.dbformysql/servers/providers/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]",
"properties": {
"workspaceId": "[parameters('logAnalytics')]",
"logs": [
{
"categoryGroup": "allLogs",
"enabled": "[equals(parameters('categoryGroup'), 'allLogs')]"
}
],
"metrics": []
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Azure Database for MySQL servers (microsoft.dbformysql/servers), resourceName ', parameters('resourceName'), ' to Log Analytics ', parameters('logAnalytics'), ' configured')]"
}
}
},
"parameters": {
"diagnosticSettingName": {
"value": "[parameters('diagnosticSettingName')]"
},
"logAnalytics": {
"value": "[parameters('logAnalytics')]"
},
"categoryGroup": {
"value": "[parameters('categoryGroup')]"
},
"resourceName": {
"value": "[field('name')]"
}
}
}
}
}
}
}
}{"displayName":"Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Log Analytics","policyType":"BuiltIn","mode":"Indexed","description":"Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Azure Database for MySQL servers (microsoft.dbformysql/servers).","metadata":{"category":"Monitoring","version":"1.0.0"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","AuditIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"diagnosticSettingName":{"type":"String","metadata":{"displayName":"Diagnostic Setting Name","description":"Diagnostic Setting Name"},"defaultValue":"setByPolicy-LogAnalytics"},"categoryGroup":{"type":"String","metadata":{"displayName":"Category Group","description":"Diagnostic category group - none,audit,or allLogs."},"allowedValues":["audit","allLogs"],"defaultValue":"audit"},"resourceLocationList":{"type":"Array","metadata":{"displayName":"Resource Location List","description":"Resource Location List to send logs to nearby Log Analytics. A single entry \"*\" selects all locations (default)."},"defaultValue":["*"]},"logAnalytics":{"type":"String","metadata":{"displayName":"Log Analytics Workspace","description":"Log Analytics Workspace","strongType":"omsWorkspace","assignPermissions":true}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.dbformysql/servers"},{"anyOf":[{"value":"[first(parameters('resourceLocationList'))]","equals":"*"},{"field":"location","in":"[parameters('resourceLocationList')]"}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Insights/diagnosticSettings","evaluationDelay":"AfterProvisioning","existenceCondition":{"allOf":[{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].enabled","equals":"[equals(parameters('categoryGroup'),'allLogs')]"},{"field":"microsoft.insights/diagnosticSettings/logs[*].categoryGroup","equals":"allLogs"}]}},"equals":1},{"field":"Microsoft.Insights/diagnosticSettings/workspaceId","equals":"[parameters('logAnalytics')]"}]},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"diagnosticSettingName":{"type":"string"},"logAnalytics":{"type":"string"},"categoryGroup":{"type":"String"},"resourceName":{"type":"string"}},"variables":{},"resources":[{"type":"microsoft.dbformysql/servers/providers/diagnosticSettings","apiVersion":"2021-05-01-preview","name":"[concat(parameters('resourceName'),'/','Microsoft.Insights/',parameters('diagnosticSettingName'))]","properties":{"workspaceId":"[parameters('logAnalytics')]","logs":[{"categoryGroup":"allLogs","enabled":"[equals(parameters('categoryGroup'),'allLogs')]"}],"metrics":[]}}],"outputs":{"policy":{"type":"string","value":"[concat('Diagnostic setting ',parameters('diagnosticSettingName'),' for type Azure Database for MySQL servers (microsoft.dbformysql/servers),resourceName ',parameters('resourceName'),' to Log Analytics ',parameters('logAnalytics'),' configured')]"}}},"parameters":{"diagnosticSettingName":{"value":"[parameters('diagnosticSettingName')]"},"logAnalytics":{"value":"[parameters('logAnalytics')]"},"categoryGroup":{"value":"[parameters('categoryGroup')]"},"resourceName":{"value":"[field('name')]"}}}}}}}}Monitoring
Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage
Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers).
BuiltIn
False
2024-04-29
1.0.0
1.0.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'AuditIfNotExists', 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
• Log Analytics Contributor (92aaf0da-9dab-42b6-94a3-d43ce8d16293)
Used in 1 Policy Set(s):
• Enable allLogs category group resource logging for supported resources to storage (b6b86da9-e527-49de-ac59-6af0a9db10b8) [Monitoring] BuiltIn
Uses 6 Fx/Operator(s):
• concat()
• count()
• equals()
• field()
• parameters()
• where()
• concat()
• count()
• equals()
• field()
• parameters()
• where()
if (1)
• 'microsoft.dbformysql/servers'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers).",
"metadata": {
"category": "Monitoring",
"version": "1.0.0"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"diagnosticSettingName": {
"type": "String",
"metadata": {
"displayName": "Diagnostic Setting Name",
"description": "Diagnostic Setting Name"
},
"defaultValue": "setByPolicy-Storage"
},
"categoryGroup": {
"type": "String",
"metadata": {
"displayName": "Category Group",
"description": "Diagnostic category group - none, audit, or allLogs."
},
"allowedValues": [
"audit",
"allLogs"
],
"defaultValue": "audit"
},
"resourceLocation": {
"type": "String",
"metadata": {
"displayName": "Resource Location",
"description": "Resource Location must be in the same location as the Storage Account.",
"strongType": "location"
}
},
"storageAccount": {
"type": "String",
"metadata": {
"displayName": "Storage Account",
"description": "Full path (resourceId) to the storage account.",
"assignPermissions": true
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "microsoft.dbformysql/servers"
},
{
"field": "location",
"equals": "[parameters('resourceLocation')]"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"evaluationDelay": "AfterProvisioning",
"existenceCondition": {
"allOf": [
{
"count": {
"field": "Microsoft.Insights/diagnosticSettings/logs[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
"equals": "[equals(parameters('categoryGroup'), 'allLogs')]"
},
{
"field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup",
"equals": "allLogs"
}
]
}
},
"equals": 1
},
{
"field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
"equals": "[parameters('storageAccount')]"
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"diagnosticSettingName": {
"type": "string"
},
"categoryGroup": {
"type": "String"
},
"storageAccount": {
"type": "string"
},
"resourceLocation": {
"type": "string"
},
"resourceName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "microsoft.dbformysql/servers/providers/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]",
"location": "[parameters('resourceLocation')]",
"properties": {
"storageAccountId": "[parameters('storageAccount')]",
"logs": [
{
"categoryGroup": "allLogs",
"enabled": "[equals(parameters('categoryGroup'), 'allLogs')]"
}
],
"metrics": []
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Azure Database for MySQL servers (microsoft.dbformysql/servers), resourceName ', parameters('resourceName'), ' to Storage Account ', parameters('storageAccount'), ' configured')]"
}
}
},
"parameters": {
"diagnosticSettingName": {
"value": "[parameters('diagnosticSettingName')]"
},
"categoryGroup": {
"value": "[parameters('categoryGroup')]"
},
"storageAccount": {
"value": "[parameters('storageAccount')]"
},
"resourceLocation": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
}
}
}
}
}
}
}
}{"displayName":"Enable logging by category group for Azure Database for MySQL servers (microsoft.dbformysql/servers) to Storage","policyType":"BuiltIn","mode":"Indexed","description":"Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Azure Database for MySQL servers (microsoft.dbformysql/servers).","metadata":{"category":"Monitoring","version":"1.0.0"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","AuditIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"},"diagnosticSettingName":{"type":"String","metadata":{"displayName":"Diagnostic Setting Name","description":"Diagnostic Setting Name"},"defaultValue":"setByPolicy-Storage"},"categoryGroup":{"type":"String","metadata":{"displayName":"Category Group","description":"Diagnostic category group - none,audit,or allLogs."},"allowedValues":["audit","allLogs"],"defaultValue":"audit"},"resourceLocation":{"type":"String","metadata":{"displayName":"Resource Location","description":"Resource Location must be in the same location as the Storage Account.","strongType":"location"}},"storageAccount":{"type":"String","metadata":{"displayName":"Storage Account","description":"Full path (resourceId) to the storage account.","assignPermissions":true}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"microsoft.dbformysql/servers"},{"field":"location","equals":"[parameters('resourceLocation')]"}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.Insights/diagnosticSettings","evaluationDelay":"AfterProvisioning","existenceCondition":{"allOf":[{"count":{"field":"Microsoft.Insights/diagnosticSettings/logs[*]","where":{"allOf":[{"field":"Microsoft.Insights/diagnosticSettings/logs[*].enabled","equals":"[equals(parameters('categoryGroup'),'allLogs')]"},{"field":"microsoft.insights/diagnosticSettings/logs[*].categoryGroup","equals":"allLogs"}]}},"equals":1},{"field":"Microsoft.Insights/diagnosticSettings/storageAccountId","equals":"[parameters('storageAccount')]"}]},"roleDefinitionIds":["/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"diagnosticSettingName":{"type":"string"},"categoryGroup":{"type":"String"},"storageAccount":{"type":"string"},"resourceLocation":{"type":"string"},"resourceName":{"type":"string"}},"variables":{},"resources":[{"type":"microsoft.dbformysql/servers/providers/diagnosticSettings","apiVersion":"2021-05-01-preview","name":"[concat(parameters('resourceName'),'/','Microsoft.Insights/',parameters('diagnosticSettingName'))]","location":"[parameters('resourceLocation')]","properties":{"storageAccountId":"[parameters('storageAccount')]","logs":[{"categoryGroup":"allLogs","enabled":"[equals(parameters('categoryGroup'),'allLogs')]"}],"metrics":[]}}],"outputs":{"policy":{"type":"string","value":"[concat('Diagnostic setting ',parameters('diagnosticSettingName'),' for type Azure Database for MySQL servers (microsoft.dbformysql/servers),resourceName ',parameters('resourceName'),' to Storage Account ',parameters('storageAccount'),' configured')]"}}},"parameters":{"diagnosticSettingName":{"value":"[parameters('diagnosticSettingName')]"},"categoryGroup":{"value":"[parameters('categoryGroup')]"},"storageAccount":{"value":"[parameters('storageAccount')]"},"resourceLocation":{"value":"[field('location')]"},"resourceName":{"value":"[field('name')]"}}}}}}}}SQL
A Microsoft Entra administrator should be provisioned for MySQL servers
Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services
BuiltIn
True
2023-11-17
1.1.1
1.1.1
1.1.0
1.1.0
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'AuditIfNotExists', 'Disabled'
default: 'AuditIfNotExists'
default: 'AuditIfNotExists'
Used in 19 Policy Set(s):
• CSA CSA Cloud Controls Matrix v4.0.12 (8791506a-dec4-497a-a83f-3abfde37c400) [Regulatory Compliance] BuiltIn
• Canada Federal PBMM 3-1-2020 (f8f5293d-df94-484a-a3e7-6b422a999d91) [Regulatory Compliance] BuiltIn
• Cyber Essentials v3.1 (b2f588d7-1ed5-47c7-977d-b93dff520c4c) [Regulatory Compliance] BuiltIn
• Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 (a4087154-2edb-4329-b56a-1cc986807f3c) [Regulatory Compliance] BuiltIn
• EU 2022/2555 (NIS2) 2022 (42346945-b531-41d8-9e46-f95057672e88) [Regulatory Compliance] BuiltIn
• EU General Data Protection Regulation (GDPR) 2016/679 (7326812a-86a4-40c8-af7c-8945de9c4913) [Regulatory Compliance] BuiltIn
• FBI Criminal Justice Information Services (CJIS) v5.9.5 (4fcabc2a-30b2-4ba5-9fbb-b1a4e08fb721) [Regulatory Compliance] BuiltIn
• FFIEC CAT 2017 (1d5dbdd5-6f93-43ce-a939-b19df3753cf7) [Regulatory Compliance] BuiltIn
• HITRUST CSF v11.3 (e0d47b75-5d99-442a-9d60-07f2595ab095) [Regulatory Compliance] BuiltIn
• K ISMS P 2018 (e0782c37-30da-4a78-9f92-50bfe7aa2553) [Regulatory Compliance] BuiltIn
• Microsoft cloud security benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8) [Security Center] BuiltIn
• NCSC Cyber Assurance Framework (CAF) v3.2 (6d220abf-cf6f-4b17-8f7e-0644c4cc84b4) [Regulatory Compliance] BuiltIn
• NIST 800-171 R3 (38916c43-6876-4971-a4b1-806aa7e55ccc) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 R5.1.1 (60205a79-6280-4e20-a147-e2011e09dc78) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme V2 (d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee) [Regulatory Compliance] BuiltIn
• NZISM v3.7 (4476df0a-18ab-4bfe-b6ad-cccae1cf320f) [Regulatory Compliance] BuiltIn
• New Zealand ISM (4f5b1359-4f8e-4d7c-9733-ea47fcde891e) [Regulatory Compliance] BuiltIn
• SOC 2023 (53ad89f5-8542-49e9-ba81-1cbd686e0d52) [Regulatory Compliance] BuiltIn
• SWIFT Customer Security Controls Framework 2024 (7499005e-df5a-45d9-810f-041cf346678c) [Regulatory Compliance] BuiltIn
Uses 1 Fx/Operator(s):
• parameters()
• parameters()
if (1)
• 'microsoft.dbformysql/servers'
thenDetails (1)
• 'Microsoft.DBforMySQL/servers/administrators'
Used 19x as a control:
• PCI_DSS_V3.2.1_8.2.5 (ref)
• NIST_SP_800-53_R5_PE-14 (ref)
• FedRAMP_Moderate_R4_CP-7(2) (ref)
• CIS_Azure_1.3.0_6.4 (ref)
• PCI_DSS_v4.0_7.1.2 (ref)
• CIS_Azure_Foundations_v3.0.0_3.1.14 (ref)
• CIS_Azure_2.0.0_2.1.17 (ref)
• FedRAMP_Moderate_R4_SC-19 (ref)
• FedRAMP_High_R4_MP-6 (ref)
• PCI_DSS_v4.0_3.5.1 (ref)
• FedRAMP_Moderate_R4_SC-12 (ref)
• NIST_CSF_v2.0_ID.AM_01 (ref)
• NIST_SP_800-53_R5_PL-4 (ref)
• mp.eq.3 Protection of portable devices (ref)
• CIS_Azure_Foundations_v3.0.0_4.2 (ref)
• FedRAMP_High_R4_MA-4 (ref)
• hipaa-1668.12d1Organizational.67-12.d (ref)
• NZISM_v3.7_12.4.4.C.02. (ref)
• hipaa-1421.05j2Organizational.12-05.j (ref)
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "A Microsoft Entra administrator should be provisioned for MySQL servers",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services",
"metadata": {
"version": "1.1.1",
"category": "SQL"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "AuditIfNotExists"
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.DBforMySQL/servers/administrators"
}
}
}
}{"displayName":"A Microsoft Entra administrator should be provisioned for MySQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Audit provisioning of a Microsoft Entra administrator for your MySQL server to enable Microsoft Entra authentication. Microsoft Entra authentication enables simplified permission management and centralized identity management of database users and other Microsoft services","metadata":{"version":"1.1.1","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["AuditIfNotExists","Disabled"],"defaultValue":"AuditIfNotExists"}},"policyRule":{"if":{"field":"type","equals":"Microsoft.DBforMySQL/servers"},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.DBforMySQL/servers/administrators"}}}}SQL
Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.
Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
ALZ
False
2024-10-10
1.2.0
n/a
AzureCloud:true
AzureChinaCloud:true
AzureUSGovernment:true
AzureChinaCloud:true
AzureUSGovernment:true
GA
Indexed
allowed: 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
Used in 3 Policy Set(s):
• Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (Enforce-EncryptTransit_20241211) [Encryption] ALZ
• [Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (Enforce-EncryptTransit) [Encryption] ALZ
• [Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (Enforce-EncryptTransit_20240509) [Encryption] ALZ
Uses 5 Fx/Operator(s):
• concat()
• equals()
• field()
• if()
• parameters()
• concat()
• equals()
• field()
• if()
• parameters()
if (1)
• 'microsoft.dbformysql/servers'
thenDeployment (1)
• 'microsoft.dbformysql/servers'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"policyType": "Custom",
"mode": "Indexed",
"displayName": "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.",
"description": "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.2.0",
"category": "SQL",
"source": "https://github.com/Azure/Enterprise-Scale/",
"alzCloudEnvironments": [
"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
"parameters": {
"effect": {
"type": "String",
"defaultValue": "DeployIfNotExists",
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"metadata": {
"displayName": "Effect minimum TLS version Azure Database for MySQL server",
"description": "Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server"
}
},
"minimalTlsVersion": {
"type": "String",
"defaultValue": "TLS1_2",
"allowedValues": [
"TLS1_2",
"TLS1_0",
"TLS1_1",
"TLSEnforcementDisabled"
],
"metadata": {
"displayName": "Select version minimum TLS for MySQL server",
"description": "Select version minimum TLS version Azure Database for MySQL server to enforce"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
{
"anyOf": [
{
"field": "Microsoft.DBforMySQL/servers/sslEnforcement",
"notEquals": "Enabled"
},
{
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
"less": "[parameters('minimalTlsVersion')]"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.DBforMySQL/servers",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.DBforMySQL/servers/sslEnforcement",
"equals": "Enabled"
},
{
"field": "Microsoft.DBforMySQL/servers/minimalTlsVersion",
"equals": "[parameters('minimalTlsVersion')]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "String"
},
"minimalTlsVersion": {
"type": "String"
},
"location": {
"type": "String"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.DBforMySQL/servers",
"apiVersion": "2017-12-01",
"name": "[concat(parameters('resourceName'))]",
"location": "[parameters('location')]",
"properties": {
"sslEnforcement": "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]",
"minimalTlsVersion": "[parameters('minimalTlsVersion')]"
}
}
],
"outputs": {}
},
"parameters": {
"resourceName": {
"value": "[field('name')]"
},
"minimalTlsVersion": {
"value": "[parameters('minimalTlsVersion')]"
},
"location": {
"value": "[field('location')]"
}
}
}
}
}
}
}
}{"policyType":"Custom","mode":"Indexed","displayName":"Azure Database for MySQL server deploy a specific min TLS version and enforce SSL.","description":"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.","metadata":{"version":"1.2.0","category":"SQL","source":"https://github.com/Azure/Enterprise-Scale/","alzCloudEnvironments":["AzureCloud","AzureChinaCloud","AzureUSGovernment"]},"parameters":{"effect":{"type":"String","defaultValue":"DeployIfNotExists","allowedValues":["DeployIfNotExists","Disabled"],"metadata":{"displayName":"Effect minimum TLS version Azure Database for MySQL server","description":"Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server"}},"minimalTlsVersion":{"type":"String","defaultValue":"TLS1_2","allowedValues":["TLS1_2","TLS1_0","TLS1_1","TLSEnforcementDisabled"],"metadata":{"displayName":"Select version minimum TLS for MySQL server","description":"Select version minimum TLS version Azure Database for MySQL server to enforce"}}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"anyOf":[{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"},{"field":"Microsoft.DBforMySQL/servers/minimalTlsVersion","less":"[parameters('minimalTlsVersion')]"}]}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.DBforMySQL/servers","existenceCondition":{"allOf":[{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","equals":"Enabled"},{"field":"Microsoft.DBforMySQL/servers/minimalTlsVersion","equals":"[parameters('minimalTlsVersion')]"}]},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"Incremental","template":{"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"resourceName":{"type":"String"},"minimalTlsVersion":{"type":"String"},"location":{"type":"String"}},"variables":{},"resources":[{"type":"Microsoft.DBforMySQL/servers","apiVersion":"2017-12-01","name":"[concat(parameters('resourceName'))]","location":"[parameters('location')]","properties":{"sslEnforcement":"[if(equals(parameters('minimalTlsVersion'),'TLSEnforcementDisabled'),'Disabled','Enabled')]","minimalTlsVersion":"[parameters('minimalTlsVersion')]"}}],"outputs":{}},"parameters":{"resourceName":{"value":"[field('name')]"},"minimalTlsVersion":{"value":"[parameters('minimalTlsVersion')]"},"location":{"value":"[field('location')]"}}}}}}}}SQL
Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers
Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.
BuiltIn
False
2024-01-22
1.2.0
1.2.0
1.1.0
1.0.1
1.1.0
1.0.1
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:unknown
AzureChinaCloud:unknown
AzureUSGovernment:unknown
GA
Indexed
allowed: 'DeployIfNotExists', 'Disabled'
default: 'DeployIfNotExists'
default: 'DeployIfNotExists'
Uses 1 RBAC Role(s):
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
• Contributor (b24988ac-6180-42a0-ab88-20f7382dd24c)
Used in 2 Policy Set(s):
• Configure Advanced Threat Protection to be enabled on open-source relational databases (e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e) [Security Center] BuiltIn
• Enforce recommended guardrails for MySQL (Enforce-Guardrails-MySQL) [MySQL] ALZ
Uses 3 Fx/Operator(s):
• concat()
• field()
• parameters()
• concat()
• field()
• parameters()
if (1)
• 'microsoft.dbformysql/servers'
thenDeployment (1)
• 'Microsoft.DBforMySQL/servers/securityAlertPolicies'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.",
"metadata": {
"version": "1.2.0",
"category": "SQL"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
{
"field": "Microsoft.DBforMySQL/servers/sku.tier",
"notContains": "basic"
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.DBforMySQL/servers/securityAlertPolicies",
"name": "Default",
"evaluationDelay": "AfterProvisioningSuccess",
"existenceCondition": {
"field": "Microsoft.DBforMySQL/servers/securityAlertPolicies/Default.state",
"equals": "Enabled"
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"serverName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"name": "[concat(parameters('serverName'), '/Default')]",
"type": "Microsoft.DBforMySQL/servers/securityAlertPolicies",
"apiVersion": "2017-12-01",
"properties": {
"state": "Enabled",
"emailAccountAdmins": false
}
}
]
},
"parameters": {
"serverName": {
"value": "[field('name')]"
}
}
}
}
}
}
}
}{"displayName":"Configure Advanced Threat Protection to be enabled on Azure database for MySQL servers","policyType":"BuiltIn","mode":"Indexed","description":"Enable Advanced Threat Protection on your non-Basic tier Azure database for MySQL servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.","metadata":{"version":"1.2.0","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["DeployIfNotExists","Disabled"],"defaultValue":"DeployIfNotExists"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sku.tier","notContains":"basic"}]},"then":{"effect":"[parameters('effect')]","details":{"type":"Microsoft.DBforMySQL/servers/securityAlertPolicies","name":"Default","evaluationDelay":"AfterProvisioningSuccess","existenceCondition":{"field":"Microsoft.DBforMySQL/servers/securityAlertPolicies/Default.state","equals":"Enabled"},"roleDefinitionIds":["/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"],"deployment":{"properties":{"mode":"incremental","template":{"$schema":"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion":"1.0.0.0","parameters":{"serverName":{"type":"string"}},"variables":{},"resources":[{"name":"[concat(parameters('serverName'),'/Default')]","type":"Microsoft.DBforMySQL/servers/securityAlertPolicies","apiVersion":"2017-12-01","properties":{"state":"Enabled","emailAccountAdmins":false}}]},"parameters":{"serverName":{"value":"[field('name')]"}}}}}}}}SQL
Enforce SSL connection should be enabled for MySQL database servers
Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.
BuiltIn
True
1.0.1
1.0.1
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:true
AzureChinaCloud:unknown
AzureUSGovernment:true
1.*.*
parity:unknown
parity:unknown
GA
Indexed
allowed: 'Audit', 'Disabled'
default: 'Audit'
default: 'Audit'
Used in 28 Policy Set(s):
• CIS Azure Foundations v2.1.0 (fe7782e4-6ff3-4e39-8d8a-64b6f7b82c85) [Regulatory Compliance] BuiltIn
• CIS Controls v8.1 (046796ef-e8a7-4398-bbe9-cce970b1a3ae) [Regulatory Compliance] BuiltIn
• CIS Microsoft Azure Foundations Benchmark v1.1.0 (1a5bb27d-173f-493e-9568-eb56638dde4d) [Regulatory Compliance] BuiltIn
• CIS Microsoft Azure Foundations Benchmark v1.3.0 (612b5213-9160-4969-8578-1518bd2a000c) [Regulatory Compliance] BuiltIn
• CIS Microsoft Azure Foundations Benchmark v2.0.0 (06f19060-9e68-4070-92ca-f15cc126059e) [Regulatory Compliance] BuiltIn
• CMMC Level 3 (b5629c75-5c77-4422-87b9-2509e680f8de) [Regulatory Compliance] BuiltIn
• DORA 2022 2554 (f9c0485f-da8e-43b5-961e-58ebd54b907c) [Regulatory Compliance] BuiltIn
• EU General Data Protection Regulation (GDPR) 2016/679 (7326812a-86a4-40c8-af7c-8945de9c4913) [Regulatory Compliance] BuiltIn
• FedRAMP High (d5264498-16f4-418a-b659-fa7ef418175f) [Regulatory Compliance] BuiltIn
• FedRAMP Moderate (e95f5a9f-57ad-4d03-bb0b-b1d16db93693) [Regulatory Compliance] BuiltIn
• HITRUST/HIPAA (a169a624-5599-4385-a696-c8d643089fab) [Regulatory Compliance] BuiltIn
• K ISMS P 2018 (e0782c37-30da-4a78-9f92-50bfe7aa2553) [Regulatory Compliance] BuiltIn
• Microsoft cloud security benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8) [Security Center] BuiltIn
• NIST SP 800-171 Rev. 2 (03055927-78bd-4236-86c0-f36125a10dc9) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 4 (cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 5 (179d1daa-458f-4e47-8086-2a68d0d6c38f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme (6ce73208-883e-490f-a2ac-44aac3b3687f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme V2 (d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee) [Regulatory Compliance] BuiltIn
• New Zealand ISM (4f5b1359-4f8e-4d7c-9733-ea47fcde891e) [Regulatory Compliance] BuiltIn
• RMIT Malaysia (97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6) [Regulatory Compliance] BuiltIn
• SOC 2 Type 2 (4054785f-702b-4a98-9215-009cbd58b141) [Regulatory Compliance] BuiltIn
• [Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92) [Regulatory Compliance] BuiltIn
• [Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b) [Regulatory Compliance] BuiltIn
• [Deprecated]: New Zealand ISM Restricted v3.5 (93d2179e-3068-c82f-2428-d614ae836a04) [Regulatory Compliance] BuiltIn
• [Preview]: CMMC 2.0 Level 2 (4e50fd13-098b-3206-61d6-d1d78205cb45) [Regulatory Compliance] BuiltIn
• [Preview]: Reserve Bank of India - IT Framework for Banks (d0d5578d-cc08-2b22-31e3-f525374f235a) [Regulatory Compliance] BuiltIn
• [Preview]: Reserve Bank of India - IT Framework for NBFC (7f89f09c-48c1-f28d-1bd5-84f3fb22f86c) [Regulatory Compliance] BuiltIn
• [Preview]: SWIFT CSP-CSCF v2021 (abf84fac-f817-a70c-14b5-47eec767458a) [Regulatory Compliance] BuiltIn
Uses 1 Fx/Operator(s):
• parameters()
• parameters()
if (1)
• 'Microsoft.DBforMySQL/servers/sslEnforcement' (ref)
if (1)
• 'microsoft.dbformysql/servers'
Used 28x as a control:
• CMMC_L2_v1.9.0_SI.L2_3.14.6 (ref)
• FedRAMP_High_R4_IA-5(1) (ref)
• NIST_SP_800-53_R4_SI-3(1) (ref)
• NZISM_v3.7_17.1.55.C.01. (ref)
• K_ISMS_P_2018_2.7.2 (ref)
• NIST_SP_800-53_R5_PE-14 (ref)
• CSA_v4.0.12_DCS_06 (ref)
• ISO_IEC_27002_2022_8.3 (ref)
• CIS_Controls_v8.1_7.6 (ref)
• CIS_Azure_Foundations_v3.0.0_3.1.14 (ref)
• NIST_SP_800-53_R5_SC-20 (ref)
• SWIFT_CSCF_v2022_2.4 (ref)
• FedRAMP_Moderate_R4_SC-12 (ref)
• hipaa-1327.02e2Organizational.8-02.e (ref)
• NIST_SP_800-53_R4_AC-17 (ref)
• SOC_2_PI1.4 (ref)
• CIS_Azure_1.3.0_4.3.1 (ref)
• NIST_CSF_v2.0_RC.RP_04 (ref)
• IRS_1075_9.3.6.6 (ref)
• FedRAMP_High_R4_CM-5(2) (ref)
• NZISM_v3.7_19.3.9.C.01. (ref)
• SWIFT_CSCF_v2022_11.4 (ref)
• NIST_SP_800-53_R4_SC-7(4) (ref)
• FedRAMP_High_R4_MA-4 (ref)
• hipaa-1668.12d1Organizational.67-12.d (ref)
• hipaa-1787.10a2Organizational.1-10.a (ref)
• NIST_SP_800-53_R5_IA-8(1) (ref)
• CIS_Azure_1.3.0_1.20 (ref)
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Enforce SSL connection should be enabled for MySQL database servers",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.",
"metadata": {
"version": "1.0.1",
"category": "SQL"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
{
"field": "Microsoft.DBforMySQL/servers/sslEnforcement",
"exists": "true"
},
{
"field": "Microsoft.DBforMySQL/servers/sslEnforcement",
"notEquals": "Enabled"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"Enforce SSL connection should be enabled for MySQL database servers","policyType":"BuiltIn","mode":"Indexed","description":"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.","metadata":{"version":"1.0.1","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","exists":"true"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","notEquals":"Enabled"}]},"then":{"effect":"[parameters('effect')]"}}}SQL
Enforce SSL on all DB for MySQL instances
This policy ensures SSL is enforced on all DB for MySQL instances
Community
False
1.0.0
n/a
AzureCloud:true
AzureChinaCloud:n/a
AzureUSGovernment:n/a
AzureChinaCloud:n/a
AzureUSGovernment:n/a
GA
Indexed
allowed: 'Audit', 'Deny', 'Disabled'
default: 'Audit'
default: 'Audit'
Uses 1 Fx/Operator(s):
• parameters()
• parameters()
if (1)
• 'Microsoft.DBforMySQL/servers/sslEnforcement' (ref)
if (1)
• 'microsoft.dbformysql/servers'
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Enforce SSL on all DB for MySQL instances",
"description": "This policy ensures SSL is enforced on all DB for MySQL instances",
"metadata": {
"category": "SQL",
"version": "1.0.0"
},
"mode": "Indexed",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Deny, Audit or Disabled the execution of the Policy"
},
"allowedValues": [
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
{
"field": "Microsoft.DBforMySQL/servers/sslEnforcement",
"equals": "Disabled"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"Enforce SSL on all DB for MySQL instances","description":"This policy ensures SSL is enforced on all DB for MySQL instances","metadata":{"category":"SQL","version":"1.0.0"},"mode":"Indexed","parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Deny,Audit or Disabled the execution of the Policy"},"allowedValues":["Deny","Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/sslEnforcement","equals":"Disabled"}]},"then":{"effect":"[parameters('effect')]"}}}SQL
Geo-redundant backup should be enabled for Azure Database for MySQL
Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.
BuiltIn
True
2019-10-29
1.0.1
1.0.1
AzureCloud:true
AzureChinaCloud:unknown
AzureUSGovernment:true
AzureChinaCloud:unknown
AzureUSGovernment:true
1.*.*
parity:unknown
parity:unknown
GA
Indexed
allowed: 'Audit', 'Disabled'
default: 'Audit'
default: 'Audit'
Used in 32 Policy Set(s):
• CMMC Level 3 (b5629c75-5c77-4422-87b9-2509e680f8de) [Regulatory Compliance] BuiltIn
• Canada Federal PBMM 3-1-2020 (f8f5293d-df94-484a-a3e7-6b422a999d91) [Regulatory Compliance] BuiltIn
• Cybersecurity Maturity Model Certification (CMMC) Level 2 v1.9.0 (a4087154-2edb-4329-b56a-1cc986807f3c) [Regulatory Compliance] BuiltIn
• DORA 2022 2554 (f9c0485f-da8e-43b5-961e-58ebd54b907c) [Regulatory Compliance] BuiltIn
• EU 2022/2555 (NIS2) 2022 (42346945-b531-41d8-9e46-f95057672e88) [Regulatory Compliance] BuiltIn
• EU General Data Protection Regulation (GDPR) 2016/679 (7326812a-86a4-40c8-af7c-8945de9c4913) [Regulatory Compliance] BuiltIn
• FedRAMP High (d5264498-16f4-418a-b659-fa7ef418175f) [Regulatory Compliance] BuiltIn
• FedRAMP Moderate (e95f5a9f-57ad-4d03-bb0b-b1d16db93693) [Regulatory Compliance] BuiltIn
• HITRUST CSF v11.3 (e0d47b75-5d99-442a-9d60-07f2595ab095) [Regulatory Compliance] BuiltIn
• HITRUST/HIPAA (a169a624-5599-4385-a696-c8d643089fab) [Regulatory Compliance] BuiltIn
• K ISMS P 2018 (e0782c37-30da-4a78-9f92-50bfe7aa2553) [Regulatory Compliance] BuiltIn
• Microsoft cloud security benchmark (1f3afdf9-d0c9-4c3d-847f-89da613e70a8) [Security Center] BuiltIn
• NIST SP 800-171 Rev. 2 (03055927-78bd-4236-86c0-f36125a10dc9) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 R5.1.1 (60205a79-6280-4e20-a147-e2011e09dc78) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 4 (cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f) [Regulatory Compliance] BuiltIn
• NIST SP 800-53 Rev. 5 (179d1daa-458f-4e47-8086-2a68d0d6c38f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme (6ce73208-883e-490f-a2ac-44aac3b3687f) [Regulatory Compliance] BuiltIn
• NL BIO Cloud Theme V2 (d8b2ffbe-c6a8-4622-965d-4ade11d1d2ee) [Regulatory Compliance] BuiltIn
• NZISM v3.7 (4476df0a-18ab-4bfe-b6ad-cccae1cf320f) [Regulatory Compliance] BuiltIn
• RMIT Malaysia (97a6d4f1-3bed-4cf4-ac5b-0e444c0408d6) [Regulatory Compliance] BuiltIn
• SOC 2 Type 2 (4054785f-702b-4a98-9215-009cbd58b141) [Regulatory Compliance] BuiltIn
• SOC 2023 (53ad89f5-8542-49e9-ba81-1cbd686e0d52) [Regulatory Compliance] BuiltIn
• Sarbanes Oxley Act 2022 (5757cf73-35d1-46d4-8c78-17b7ddd6076a) [Regulatory Compliance] BuiltIn
• Spain ENS (175daf90-21e1-4fec-b745-7b4c909aa94c) [Regulatory Compliance] BuiltIn
• [Deprecated]: Azure Security Benchmark v1 (42a694ed-f65e-42b2-aa9e-8052e9740a92) [Regulatory Compliance] BuiltIn
• [Deprecated]: Azure Security Benchmark v2 (bb522ac1-bc39-4957-b194-429bcd3bcb0b) [Regulatory Compliance] BuiltIn
• [Deprecated]: DoD Impact Level 4 (8d792a84-723c-4d92-a3c3-e4ed16a2d133) [Regulatory Compliance] BuiltIn
• [Preview]: CMMC 2.0 Level 2 (4e50fd13-098b-3206-61d6-d1d78205cb45) [Regulatory Compliance] BuiltIn
• [Preview]: NIS2 (32ff9e30-4725-4ca7-ba3a-904a7721ee87) [Regulatory Compliance] BuiltIn
• [Preview]: Reserve Bank of India - IT Framework for Banks (d0d5578d-cc08-2b22-31e3-f525374f235a) [Regulatory Compliance] BuiltIn
• [Preview]: Reserve Bank of India - IT Framework for NBFC (7f89f09c-48c1-f28d-1bd5-84f3fb22f86c) [Regulatory Compliance] BuiltIn
• [Preview]: SWIFT CSP-CSCF v2021 (abf84fac-f817-a70c-14b5-47eec767458a) [Regulatory Compliance] BuiltIn
Uses 1 Fx/Operator(s):
• parameters()
• parameters()
if (1)
• 'Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup' (ref)
if (1)
• 'microsoft.dbformysql/servers'
Used 32x as a control:
• CMMC_L2_v1.9.0_SI.L2_3.14.6 (ref)
• CIS_Azure_Foundations_v3.0.0_3.3.3 (ref)
• NZISM_v3.7_17.1.55.C.01. (ref)
• NIST_SP_800-53_R5_PE-14 (ref)
• CIS_Azure_1.4.0_6.5 (ref)
• CSA_v4.0.12_DCS_06 (ref)
• CIS_Azure_1.3.0_6.4 (ref)
• ISO_IEC_27002_2022_8.3 (ref)
• PCI_DSS_v4.0_7.1.2 (ref)
• CIS_Controls_v8.1_7.6 (ref)
• FedRAMP_Moderate_R4_SC-19 (ref)
• CIS_Azure_1.3.0_2.7 (ref)
• FedRAMP_High_R4_MP-6 (ref)
• SWIFT_CSCF_v2022_2.4 (ref)
• FedRAMP_Moderate_R4_SC-12 (ref)
• hipaa-1327.02e2Organizational.8-02.e (ref)
• PCI_DSS_v4.0_12.6.2 (ref)
• SOC_2_PI1.4 (ref)
• CIS_Azure_1.3.0_4.3.1 (ref)
• mp.eq.3 Protection of portable devices (ref)
• NIST_CSF_v2.0_RC.RP_04 (ref)
• IRS_1075_9.3.6.6 (ref)
• FedRAMP_High_R4_CM-5(2) (ref)
• NZISM_v3.7_19.3.9.C.01. (ref)
• SWIFT_CSCF_v2022_11.4 (ref)
• NIST_SP_800-53_R4_SC-7(4) (ref)
• FedRAMP_High_R4_MA-4 (ref)
• hipaa-1668.12d1Organizational.67-12.d (ref)
• NZISM_v3.7_12.4.4.C.02. (ref)
• hipaa-1787.10a2Organizational.1-10.a (ref)
• hipaa-1421.05j2Organizational.12-05.j (ref)
• NIST_SP_800-53_R5_IA-8(1) (ref)
only applicable for Policy defintions of type: Static
JSON deep dive
{
"displayName": "Geo-redundant backup should be enabled for Azure Database for MySQL",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.",
"metadata": {
"version": "1.0.1",
"category": "SQL"
},
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DBforMySQL/servers"
},
{
"field": "Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup",
"notEquals": "Enabled"
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}{"displayName":"Geo-redundant backup should be enabled for Azure Database for MySQL","policyType":"BuiltIn","mode":"Indexed","description":"Azure Database for MySQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted,but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create.","metadata":{"version":"1.0.1","category":"SQL"},"parameters":{"effect":{"type":"String","metadata":{"displayName":"Effect","description":"Enable or disable the execution of the policy"},"allowedValues":["Audit","Disabled"],"defaultValue":"Audit"}},"policyRule":{"if":{"allOf":[{"field":"type","equals":"Microsoft.DBforMySQL/servers"},{"field":"Microsoft.DBforMySQL/servers/storageProfile.geoRedundantBackup","notEquals":"Enabled"}]},"then":{"effect":"[parameters('effect')]"}}}
1
to
17
of
17
Page
1
of
1