Enforce recommended guardrails for App Service

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Policy DisplayName

Policy Id

Category

Effect

Roles#

Roles

State

Type

App Service app slots should enable configuration routing to Azure Virtual Network

5747353b-1ca9-42c1-a4dd-b874b894f3d4

App Service

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network

f5c0bfb3-acea-47b1-b477-b0edcdf6edc1

App Service

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

App Service apps should enable configuration routing to Azure Virtual Network

801543d1-1953-4a90-b8b0-8cf6d41473a5

App Service

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network

a691eacb-474d-47e4-b287-b4813ca44222

App Service

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

App Service apps should use a SKU that supports private link

546fe8d2-368d-4029-a418-6af48a7f61e5

App Service

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

App Service certificates must be stored in Key Vault

Deny-AppService-without-BYOC

App Service

Default
Audit
Allowed
Audit, Deny, Disabled

ALZ

App Service Environment should be provisioned with latest versions

eb4d34ab-0929-491c-bbf3-61e13da19f9a

App Service

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

Configure App Service app slots to disable local authentication for SCM sites

2c034a29-2a5f-4857-b120-f800fe5549ae

App Service

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Website Contributor

BuiltIn

Configure App Service app slots to disable public network access

c6c3e00e-d414-4ca4-914f-406699bb8eee

App Service

Default
Modify
Allowed
Modify, Disabled

Managed Identity Operator, Network Contributor, Website Contributor

BuiltIn

Configure App Service app slots to turn off remote debugging

cca5adfe-626b-4cc6-8522-f5b6ed2391bd

App Service

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Website Contributor

BuiltIn

Configure App Service apps to disable local authentication for FTP deployments

572e342c-c920-4ef5-be2e-1ed3c6a51dc5

App Service

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Website Contributor

BuiltIn

Configure App Service apps to disable local authentication for SCM sites

5e97b776-f380-4722-a9a3-e7f0be029e79

App Service

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Website Contributor

BuiltIn

Configure App Service apps to disable public network access

2374605e-3e0b-492b-9046-229af202562c

App Service

Default
Modify
Allowed
Modify, Disabled

Managed Identity Operator, Network Contributor, Website Contributor

BuiltIn

Configure App Service apps to only be accessible over HTTPS

0f98368e-36bc-4716-8ac2-8f8067203b63

App Service

Default
Modify
Allowed
Modify, Disabled

Website Contributor

BuiltIn

Configure App Service apps to turn off remote debugging

a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b

App Service

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Website Contributor

BuiltIn

Configure Function app slots to disable public network access

242222f3-4985-4e99-b5ef-086d6a6cb01c

App Service

Default
Modify
Allowed
Modify, Disabled

Managed Identity Operator, Network Contributor, Website Contributor

BuiltIn

Configure Function app slots to only be accessible over HTTPS

08cf2974-d178-48a0-b26d-f6b8e555748b

App Service

Default
Modify
Allowed
Modify, Disabled

Website Contributor

BuiltIn

Configure Function app slots to turn off remote debugging

70adbb40-e092-42d5-a6f8-71c540a5efdb

App Service

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Website Contributor

BuiltIn

Configure Function apps to turn off remote debugging

25a5046c-c423-4805-9235-e844ae9ef49b

App Service

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Website Contributor

BuiltIn

Role

Role Id

Policies count

Policies

Website Contributor

de139f84-1756-47ae-9be6-808fbbe84772

Configure App Service app slots to disable local authentication for SCM sites, Configure App Service app slots to disable public network access, Configure App Service app slots to turn off remote debugging, Configure App Service apps to disable local authentication for FTP deployments, Configure App Service apps to disable local authentication for SCM sites, Configure App Service apps to disable public network access, Configure App Service apps to only be accessible over HTTPS, Configure App Service apps to turn off remote debugging, Configure Function app slots to disable public network access, Configure Function app slots to only be accessible over HTTPS, Configure Function app slots to turn off remote debugging, Configure Function apps to turn off remote debugging

Managed Identity Operator

f1a07417-d97a-45cb-824c-7a7467783830

Configure App Service app slots to disable public network access, Configure App Service apps to disable public network access, Configure Function app slots to disable public network access

Network Contributor

4d97b98b-1d4f-4787-a291-c67834d212e7

Configure App Service app slots to disable public network access, Configure App Service apps to disable public network access, Configure Function app slots to disable public network access