AzInitiativeAdvertizer

last sync: 2025-Jul-10 17:22:37 UTC

Enforce recommended guardrails for Synapse workspaces

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-Guardrails-Synapse
Display nameEnforce recommended guardrails for Synapse workspaces
IdEnforce-Guardrails-Synapse
Version1.2.0
Details on versioning
CategorySynapse
DescriptionThis policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.
Cloud environments AzureChinaCloud
AzureCloud
AzureUSGovernment
TypeCustom Azure Landing Zones (ALZ)
DeprecatedFalse
PreviewFalse
Policy-used summary
Policy types Policy states Policy categories
Total Policies: 9
Builtin Policies: 9
Static Policies: 0
ALZ Policies: 0
GA: 9
2 categories:
Security Center: 1
Synapse: 8
Policy-used
Policy DisplayName Policy Id Category Effect Roles# Roles State Type policy in AzUSGov
Azure Synapse workspaces should allow outbound data traffic only to approved targets 3484ce98-c0c5-4c83-994b-c5ac24785218 Synapse Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA BuiltIn unknown
Configure Azure Synapse Workspace Dedicated SQL minimum TLS version 8b5c654c-fb07-471b-aa8f-15fea733f140 Synapse Default
Modify
Allowed
Modify, Disabled		 1 Contributor GA BuiltIn unknown
Configure Azure Synapse workspaces to disable public network access 5c8cad01-ef30-4891-b230-652dadb4876a Synapse Default
Modify
Allowed
Modify, Disabled		 1 Contributor GA BuiltIn unknown
Configure Microsoft Defender for SQL to be enabled on Synapse workspaces 951c1558-50a5-4ca3-abb6-a93e3e2367a6 Security Center Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled		 1 SQL Security Manager GA BuiltIn unknown
Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation c3624673-d2ff-48e0-b28c-5de1c6767c3c Synapse Default
Modify
Allowed
Modify, Disabled		 1 Contributor GA BuiltIn unknown
IP firewall rules on Azure Synapse workspaces should be removed 56fd377d-098c-4f02-8406-81eb055902b8 Synapse Default
Audit
Allowed
Audit, Disabled		 0 GA BuiltIn unknown
Managed workspace virtual network on Azure Synapse workspaces should be enabled 2d9dbfa3-927b-4cf0-9d0f-08747f971650 Synapse Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn unknown
Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants 3a003702-13d2-4679-941b-937e58c443f0 Synapse Default
Audit
Allowed
Audit, Disabled, Deny		 0 GA BuiltIn true
Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation 2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Default
Audit
Allowed
Audit, Deny, Disabled		 0 GA BuiltIn true
Roles used
History none
JSON compare n/a
JSON
EPAC