Hi,

In this new article, I will share with you a new Azure Policy action: « Deny Action ». DenyAction is used to block requests on intended action to resources. The only supported action today is DELETE. This effect will help prevent any accidental deletion of critical resources.

This new Azure Policy action could help you to remove the Lock Type « Delete » in place at the Resource Group level.

Please find below an example:

{
   "if": {
      "allOf": [
         {
            "field": "type",
            "equals": "Microsoft.DocumentDb/accounts"
         },
         {
            "field": "tags.environment",
            "equals": "prod"
         }
      ]
   },
   "then": {
      "effect": "DenyAction",
      "details": {
         "actionNames": [ "delete" ],
         "cascadeBehaviors": { "resourceGroup": "deny" }
      }
   }
}

Maxime.

Hi!

I will show a new storage account feature which can help you to prevent data breach. This feature will help you to restrict the copy operations at the storage account level.

Three options are available:

• From any storage accounts (default value)
• From storage accounts in the same Azure AD tenant
• From storage accounts that have a private endpoint to the same virtual network

I will recommend you to protect all your storage account with a custom Azure Policy which uses the alias parameter: allowedCopyScope

Maxime.