AzPolicyAdvertizer

last sync: 2025-Oct-31 18:22:59 UTC

Configure Azure AI Services resources to disable local key access (disable local authentication)

Azure BuiltIn Policy definition

Source Azure Portal
Display name Configure Azure AI Services resources to disable local key access (disable local authentication)
Id 55eff01b-f2bd-4c32-9203-db285f709d30
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.0.0
Built-in Versioning [Preview]
Category Azure Ai Services
Microsoft Learn
Description Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth
Cloud environments AzureCloud = true
AzureUSGovernment = unknown
AzureChinaCloud = unknown
Available in AzUSGov Unknown, no evidence if Policy definition is/not available in AzureUSGovernment
Mode Indexed
Type BuiltIn
Preview False
Deprecated False
Effect Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled
RBAC role(s)
Role Name Role Id
Cognitive Services OpenAI Contributor a001fd3d-188f-4b5d-821b-7da978bf7442
Cognitive Services Contributor 25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68
Rule aliases THEN-ExistenceCondition (1)
Alias Namespace ResourceType Path PathIsDefault DefaultPath Modifiable
Microsoft.CognitiveServices/accounts/disableLocalAuth Microsoft.CognitiveServices accounts properties.disableLocalAuth True True
Rule resource types IF (1)
THEN-Deployment (1)
Compliance
The following 1 compliance controls are associated with this Policy definition 'Configure Azure AI Services resources to disable local key access (disable local authentication)' (55eff01b-f2bd-4c32-9203-db285f709d30)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
Azure_Security_Benchmark_v3.0 IM-1 Azure_Security_Benchmark_v3.0_IM-1 Microsoft cloud security benchmark IM-1 Identity Management IM-1 Use centralized identity and authentication system Shared **Security Principle:** Use a centralized identity and authentication system to govern your organization's identities and authentications for cloud and non-cloud resources. **Azure Guidance:** Microsoft Entra ID is Azure's identity and authentication management service. You should standardize on Microsoft Entra ID to govern your organization's identity and authentication in: - Microsoft cloud resources, such as the Azure Storage, Azure Virtual Machines (Linux and Windows), Azure Key Vault, PaaS, and SaaS applications. - Your organization's resources, such as applications on Azure, third-party applications running on your corporate network resources, and third-party SaaS applications. - Your enterprise identities in Active Directory by synchronization to Microsoft Entra ID to ensure a consistent and centrally managed identity strategy. Note: As soon as it is technically feasible, you should migrate on-premises Active Directory based applications to Microsoft Entra ID. This could be a Microsoft Entra Enterprise Directory, Business to Business configuration, or Business to consumer configuration. **Implementation and additional context:** Tenancy in Microsoft Entra ID: https://docs.microsoft.com/azure/active-directory/develop/single-and-multi-tenant-apps How to create and configure a Microsoft Entra instance: https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-access-create-new-tenant Define Microsoft Entra ID tenants: https://azure.microsoft.com/resources/securing-azure-environments-with-azure-active-directory/ Use external identity providers for an application: https://docs.microsoft.com/azure/active-directory/b2b/identity-providers n/a link 22
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type polSet in AzUSGov
[Preview]: Microsoft cloud security benchmark v2 e3ec7e09-768c-4b64-882c-fcada3772047 Security Center Preview BuiltIn unknown
Enforce recommended guardrails for Open AI (Cognitive Service) Enforce-Guardrails-OpenAI Cognitive Services GA ALZ
History
Date/Time (UTC ymd) (i) Change type Change detail
2024-04-12 17:45:57 add 55eff01b-f2bd-4c32-9203-db285f709d30
JSON compare n/a
JSON
api-version=2021-06-01
EPAC