From c112574a90fd0507634dc9ab25dd71b7d4dae514 Mon Sep 17 00:00:00 2001 From: Thomas Defise Date: Wed, 3 Apr 2024 17:49:25 +0200 Subject: [PATCH] Adding new policy --- .../azurepolicy.json | 52 +++++++++++++++++++ .../azurepolicy.parameters.json | 14 +++++ .../azurepolicy.rules.json | 25 +++++++++ 3 files changed, 91 insertions(+) create mode 100644 policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.json create mode 100644 policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.parameters.json create mode 100644 policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.rules.json diff --git a/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.json b/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.json new file mode 100644 index 00000000..9038ddde --- /dev/null +++ b/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.json @@ -0,0 +1,52 @@ +{ + "name": "d15c0177-f092-4797-82ef-cb2ec89cf527", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "App services should have local authentication methods disabled for FTP deployments", + "description": "Disabling local authentication methods for FTP deployments improves security by ensuring that App Service apps exclusively require Microsoft Entra identities for authentication. Learn more at: https://aka.ms/app-service-disable-basic-auth.", + "metadata": { + "version": "1.0.0", + "category": "App Service" + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "name": "ftp", + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "existenceCondition": { + "field": "Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow", + "equals": "false" + } + } + } + } + } +} diff --git a/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.parameters.json b/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.parameters.json new file mode 100644 index 00000000..fb8acc98 --- /dev/null +++ b/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.parameters.json @@ -0,0 +1,14 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "AuditIfNotExists" + } +} diff --git a/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.rules.json b/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.rules.json new file mode 100644 index 00000000..04647523 --- /dev/null +++ b/policyDefinitions/App Service/web-apps-should-have-ftp-basic-auth-disabled/azurepolicy.rules.json @@ -0,0 +1,25 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "field": "kind", + "notContains": "functionapp" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "name": "ftp", + "type": "Microsoft.Web/sites/basicPublishingCredentialsPolicies", + "existenceCondition": { + "field": "Microsoft.Web/sites/basicPublishingCredentialsPolicies/allow", + "equals": "false" + } + } + } +}