Enforce recommended guardrails for Synapse workspaces

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Policy types

Policy states

Policy categories

Total Policies: 9
Builtin Policies: 9
Static Policies: 0
ALZ Policies: 0

GA: 9

2 categories:

Security Center: 1
Synapse: 8

Rows: 1-9 / 9

Records:

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi

Page of 1

Policy DisplayName

Policy Id

Category

Effect

Roles#

Roles

State

Type

policy in AzUSGov

Azure Synapse workspaces should allow outbound data traffic only to approved targets

3484ce98-c0c5-4c83-994b-c5ac24785218

Synapse

Default
Audit
Allowed
Audit, Disabled, Deny

BuiltIn

unknown

Configure Azure Synapse Workspace Dedicated SQL minimum TLS version

8b5c654c-fb07-471b-aa8f-15fea733f140

Synapse

Default
Modify
Allowed
Modify, Disabled

Contributor

BuiltIn

unknown

Configure Azure Synapse workspaces to disable public network access

5c8cad01-ef30-4891-b230-652dadb4876a

Synapse

Default
Modify
Allowed
Modify, Disabled

Contributor

BuiltIn

unknown

Configure Microsoft Defender for SQL to be enabled on Synapse workspaces

951c1558-50a5-4ca3-abb6-a93e3e2367a6

Security Center

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

SQL Security Manager

BuiltIn

unknown

Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation

c3624673-d2ff-48e0-b28c-5de1c6767c3c

Synapse

Default
Modify
Allowed
Modify, Disabled

Contributor

BuiltIn

unknown

IP firewall rules on Azure Synapse workspaces should be removed

56fd377d-098c-4f02-8406-81eb055902b8

Synapse

Default
Audit
Allowed
Audit, Disabled

BuiltIn

unknown

Managed workspace virtual network on Azure Synapse workspaces should be enabled

2d9dbfa3-927b-4cf0-9d0f-08747f971650

Synapse

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

unknown

Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants

3a003702-13d2-4679-941b-937e58c443f0

Synapse

Default
Audit
Allowed
Audit, Disabled, Deny

BuiltIn

true

Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation

2158ddbe-fefa-408e-b43f-d4faef8ff3b8

Synapse

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

true

Role

Role Id

#Policies

Policies

SQL Security Manager

056cd41c-7e88-42e1-933e-88ba6a50c9c3

Configure Microsoft Defender for SQL to be enabled on Synapse workspaces

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Configure Azure Synapse Workspace Dedicated SQL minimum TLS version, Configure Azure Synapse workspaces to disable public network access, Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation

{

policyType: "Custom",
displayName: "Enforce recommended guardrails for Synapse workspaces",
description: "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.",
metadata: {4 items
- version: "1.2.0",
- category: "Synapse",
- source: "https://github.com/Azure/Enterprise-Scale/",
- alzCloudEnvironments: [3 items
  - "AzureCloud",
  - "AzureChinaCloud",
  - "AzureUSGovernment"
  ]
},
parameters: {10 items
- synapseLocalAuth: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- synapseManagedVnet: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- synapseDataTraffic: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- synapseTenants: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- synapseAllowedTenantIds: {2 items
  - type: "array",
  - defaultValue: [1 item
    - "[subscription().tenantId]"
    ]
  },
- synapseFwRules: {3 items
  - type: "string",
  - defaultValue: "Audit",
  - allowedValues: [2 items
    - "Audit",
    - "Disabled"
    ]
  },
- synapseModifyLocalAuth: {3 items
  - type: "string",
  - defaultValue: "Modify",
  - allowedValues: [2 items
    - "Modify",
    - "Disabled"
    ]
  },
- synapseDefender: {3 items
  - type: "string",
  - defaultValue: "DeployIfNotExists",
  - allowedValues: [2 items
    - "DeployIfNotExists",
    - "Disabled"
    ]
  },
- synapseModifyTlsVersion: {3 items
  - type: "string",
  - defaultValue: "Modify",
  - allowedValues: [2 items
    - "Modify",
    - "Disabled"
    ]
  },
- synapseModifyPublicNetworkAccess: {3 items
  - type: "string",
  - defaultValue: "Modify",
  - allowedValues: [2 items
    - "Modify",
    - "Disabled"
    ]
  }
},
policyDefinitions: [9 items
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6 Configure Microsoft Defender for SQL to be enabled on Synapse workspaces ,
  - policyDefinitionReferenceId: "Dine-Synapse-Defender",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('synapseDefender')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c Configure Synapse Workspaces to use only Microsoft Entra identities for authentication during workspace creation ,
  - policyDefinitionReferenceId: "Modify-Synapse-Local-Auth",
  - definitionVersion: 1.*.*1.2.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('synapseModifyLocalAuth')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8 IP firewall rules on Azure Synapse workspaces should be removed ,
  - policyDefinitionReferenceId: "Deny-Synapse-Fw-Rules",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('synapseFwRules')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0 Synapse managed private endpoints should only connect to resources in approved Azure Active Directory tenants ,
  - policyDefinitionReferenceId: "Deny-Synapse-Tenant-Access",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {2 items
    - effect: {1 item
      - value: "[parameters('synapseTenants')]"
      },
    - allowedTenantIds: {1 item
      - value: "[parameters('synapseAllowedTenantIds')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218 Azure Synapse workspaces should allow outbound data traffic only to approved targets ,
  - policyDefinitionReferenceId: "Deny-Synapse-Data-Traffic",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('synapseDataTraffic')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650 Managed workspace virtual network on Azure Synapse workspaces should be enabled ,
  - policyDefinitionReferenceId: "Deny-Synapse-Managed-Vnet",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('synapseManagedVnet')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8 Synapse Workspaces should use only Microsoft Entra identities for authentication during workspace creation ,
  - policyDefinitionReferenceId: "Deny-Synapse-Local-Auth",
  - definitionVersion: 1.*.*1.2.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('synapseLocalAuth')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140 Configure Azure Synapse Workspace Dedicated SQL minimum TLS version ,
  - policyDefinitionReferenceId: "Modify-Synapse-Tls-Version",
  - definitionVersion: 1.*.*1.1.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('synapseModifyTlsVersion')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a Configure Azure Synapse workspaces to disable public network access ,
  - policyDefinitionReferenceId: "Modify-Synapse-Public-Network-Access",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('synapseModifyPublicNetworkAccess')]"
      }
    }
  }
],
policyDefinitionGroups: null

}