Catégorie : Divers

Azure Policy | Deny Action

Hi,

In this new article, I will share with you a new Azure Policy action: « Deny Action ». DenyAction is used to block requests on intended action to resources. The only supported action today is DELETE. This effect will help prevent any accidental deletion of critical resources.

This new Azure Policy action could help you to remove the Lock Type « Delete » in place at the Resource Group level.

Please find below an example:

{
   "if": {
      "allOf": [
         {
            "field": "type",
            "equals": "Microsoft.DocumentDb/accounts"
         },
         {
            "field": "tags.environment",
            "equals": "prod"
         }
      ]
   },
   "then": {
      "effect": "DenyAction",
      "details": {
         "actionNames": [ "delete" ],
         "cascadeBehaviors": { "resourceGroup": "deny" }
      }
   }
}

Maxime.

Microsoft Ignite 2022, Seattle WA

Hi!

I had the pleasure to be speaker at Microsoft Ignite 2022 in Seattle, WA! That was my first in-person conference since the Covid-19. This year the experience of Microsoft Ignite was different from what I have already seen during the previous editions. Lot of sessions were available in real-time online and in-person, I think that was a great idea for the people who can’t travel to Seattle.

During these two days of sessions, I had the pleasure to meet a great number of Microsoft MVP, Microsoft employees and attendees.

To give you an idea of the event, please find below a series of photos:

Maxime.

Storage Account | Permitted scope for copy operations

Hi!

I will show a new storage account feature which can help you to prevent data breach. This feature will help you to restrict the copy operations at the storage account level.

Three options are available:

  • From any storage accounts (default value)
  • From storage accounts in the same Azure AD tenant
  • From storage accounts that have a private endpoint to the same virtual network

I will recommend you to protect all your storage account with a custom Azure Policy which uses the alias parameter: allowedCopyScope

Maxime.