AzInitiativeAdvertizer

last sync: 2025-Jul-02 17:24:31 UTC

Enforce recommended guardrails for App Service

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Source

Repository Azure Landing Zones (ALZ) GitHub
JSON Enforce-Guardrails-AppServices

Display name

Enforce recommended guardrails for App Service

Id

Enforce-Guardrails-AppServices

Version

1.1.0
Details on versioning

Category

App Service

Description

This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.

Cloud environments

AzureChinaCloud
AzureCloud
AzureUSGovernment

Type

Custom Azure Landing Zones (ALZ)

Deprecated

False

Preview

False

Policy-used summary

Policy types	Policy states	Policy categories
Total Policies: 19 Builtin Policies: 18 Static Policies: 0 ALZ Policies: 1	GA: 19	1 categories: App Service: 19

Policy-used

Loading extensions...

Rows: 1-10 / 19
Records:
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, **[empty]**, **[nonempty]**, **rgx:**
Learn more
TableFilter v0.7.3
https://www.tablefilter.com/
©2015-2025 Max Guglielmi
Close
?
Page of 2
Policy DisplayName	Policy Id	Category	Effect	Roles#	Roles	State	Type	policy in AzUSGov

App Service app slots should enable configuration routing to Azure Virtual Network	5747353b-1ca9-42c1-a4dd-b874b894f3d4	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network	f5c0bfb3-acea-47b1-b477-b0edcdf6edc1	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
App Service apps should enable configuration routing to Azure Virtual Network	801543d1-1953-4a90-b8b0-8cf6d41473a5	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network	a691eacb-474d-47e4-b287-b4813ca44222	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
App Service apps should use a SKU that supports private link	546fe8d2-368d-4029-a418-6af48a7f61e5	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	unknown
App Service certificates must be stored in Key Vault	Deny-AppService-without-BYOC	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	ALZ
App Service Environment should be provisioned with latest versions	eb4d34ab-0929-491c-bbf3-61e13da19f9a	App Service	Default Audit Allowed Audit, Deny, Disabled	0		GA	BuiltIn	true
Configure App Service app slots to disable local authentication for SCM sites	2c034a29-2a5f-4857-b120-f800fe5549ae	App Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Website Contributor	GA	BuiltIn	true
Configure App Service app slots to disable public network access	c6c3e00e-d414-4ca4-914f-406699bb8eee	App Service	Default Modify Allowed Modify, Disabled	3	Managed Identity Operator, Network Contributor, Website Contributor	GA	BuiltIn	true
Configure App Service app slots to turn off remote debugging	cca5adfe-626b-4cc6-8522-f5b6ed2391bd	App Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Website Contributor	GA	BuiltIn	true
Configure App Service apps to disable local authentication for FTP deployments	572e342c-c920-4ef5-be2e-1ed3c6a51dc5	App Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Website Contributor	GA	BuiltIn	true
Configure App Service apps to disable local authentication for SCM sites	5e97b776-f380-4722-a9a3-e7f0be029e79	App Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Website Contributor	GA	BuiltIn	true
Configure App Service apps to disable public network access	2374605e-3e0b-492b-9046-229af202562c	App Service	Default Modify Allowed Modify, Disabled	3	Managed Identity Operator, Network Contributor, Website Contributor	GA	BuiltIn	true
Configure App Service apps to only be accessible over HTTPS	0f98368e-36bc-4716-8ac2-8f8067203b63	App Service	Default Modify Allowed Modify, Disabled	1	Website Contributor	GA	BuiltIn	true
Configure App Service apps to turn off remote debugging	a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b	App Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Website Contributor	GA	BuiltIn	unknown
Configure Function app slots to disable public network access	242222f3-4985-4e99-b5ef-086d6a6cb01c	App Service	Default Modify Allowed Modify, Disabled	3	Managed Identity Operator, Network Contributor, Website Contributor	GA	BuiltIn	true
Configure Function app slots to only be accessible over HTTPS	08cf2974-d178-48a0-b26d-f6b8e555748b	App Service	Default Modify Allowed Modify, Disabled	1	Website Contributor	GA	BuiltIn	true
Configure Function app slots to turn off remote debugging	70adbb40-e092-42d5-a6f8-71c540a5efdb	App Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Website Contributor	GA	BuiltIn	true
Configure Function apps to turn off remote debugging	25a5046c-c423-4805-9235-e844ae9ef49b	App Service	Default DeployIfNotExists Allowed DeployIfNotExists, Disabled	1	Website Contributor	GA	BuiltIn	true

Roles used

Total Roles usage: 18
Total Roles unique usage: 3

Role	Role Id	#Policies	Policies
Managed Identity Operator	f1a07417-d97a-45cb-824c-7a7467783830	3	Configure App Service app slots to disable public network access, Configure App Service apps to disable public network access, Configure Function app slots to disable public network access
Network Contributor	4d97b98b-1d4f-4787-a291-c67834d212e7	3	Configure App Service app slots to disable public network access, Configure App Service apps to disable public network access, Configure Function app slots to disable public network access
Website Contributor	de139f84-1756-47ae-9be6-808fbbe84772	12	Configure App Service app slots to disable local authentication for SCM sites, Configure App Service app slots to disable public network access, Configure App Service app slots to turn off remote debugging, Configure App Service apps to disable local authentication for FTP deployments, Configure App Service apps to disable local authentication for SCM sites, Configure App Service apps to disable public network access, Configure App Service apps to only be accessible over HTTPS, Configure App Service apps to turn off remote debugging, Configure Function app slots to disable public network access, Configure Function app slots to only be accessible over HTTPS, Configure Function app slots to turn off remote debugging, Configure Function apps to turn off remote debugging

History

none

JSON compare

n/a

JSON

EPAC

{7 itemspolicyType: "Custom",
displayName: "Enforce recommended guardrails for App Service",
description: "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.",
metadata: {4 itemsversion: "1.1.0",
category: "App Service",
source: "https://github.com/Azure/Enterprise-Scale/",
alzCloudEnvironments: [3 items"AzureCloud",
"AzureChinaCloud",
"AzureUSGovernment"
]
},
parameters: {18 itemsfunctionAppDebugging: {3 itemstype: "string",
defaultValue: "DeployIfNotExists",
allowedValues: [2 items"DeployIfNotExists",
"Disabled"
]
},
appServiceDisableLocalAuth: {3 itemstype: "string",
defaultValue: "DeployIfNotExists",
allowedValues: [2 items"DeployIfNotExists",
"Disabled"
]
},
appServiceSkuPl: {3 itemstype: "string",
defaultValue: "Deny",
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
]
},
appServiceDisableLocalAuthFtp: {3 itemstype: "string",
defaultValue: "DeployIfNotExists",
allowedValues: [2 items"DeployIfNotExists",
"Disabled"
]
},
appServiceRouting: {3 itemstype: "string",
defaultValue: "Deny",
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
]
},
appServiceScmAuth: {3 itemstype: "string",
defaultValue: "DeployIfNotExists",
allowedValues: [2 items"DeployIfNotExists",
"Disabled"
]
},
appServiceRfc: {3 itemstype: "string",
defaultValue: "Deny",
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
]
},
appServiceAppsRfc: {3 itemstype: "string",
defaultValue: "Deny",
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
]
},
appServiceAppsVnetRouting: {3 itemstype: "string",
defaultValue: "Deny",
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
]
},
appServiceEnvLatestVersion: {3 itemstype: "string",
defaultValue: "Deny",
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
]
},
appServiceAppSlotsRemoteDebugging: {3 itemstype: "string",
defaultValue: "DeployIfNotExists",
allowedValues: [2 items"DeployIfNotExists",
"Disabled"
]
},
appServiceAppsRemoteDebugging: {3 itemstype: "string",
defaultValue: "DeployIfNotExists",
allowedValues: [2 items"DeployIfNotExists",
"Disabled"
]
},
appServiceByoc: {3 itemstype: "string",
defaultValue: "Deny",
allowedValues: [3 items"Audit",
"Deny",
"Disabled"
]
},
functionAppSlotsModifyHttps: {3 itemstype: "string",
defaultValue: "Modify",
allowedValues: [2 items"Modify",
"Disabled"
]
},
appServiceAppHttps: {3 itemstype: "string",
defaultValue: "Modify",
allowedValues: [2 items"Modify",
"Disabled"
]
},
functionAppSlotsModifyPublicNetworkAccess: {3 itemstype: "string",
defaultValue: "Modify",
allowedValues: [2 items"Modify",
"Disabled"
]
},
appServiceAppsModifyPublicNetworkAccess: {3 itemstype: "string",
defaultValue: "Modify",
allowedValues: [2 items"Modify",
"Disabled"
]
},
appServiceAppModifyPublicNetworkAccess: {3 itemstype: "string",
defaultValue: "Modify",
allowedValues: [2 items"Modify",
"Disabled"
]
}
},
policyDefinitions: [19 items{5 itemspolicyDefinitionId: "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC",
policyDefinitionReferenceId: "Deny-AppService-Byoc",
definitionVersion: "1.*.*",
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceByoc')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b Configure App Service apps to turn off remote debugging ,
policyDefinitionReferenceId: "Dine-AppService-Apps-Remote-Debugging",
definitionVersion: 1.*.*1.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceAppsRemoteDebugging')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd Configure App Service app slots to turn off remote debugging ,
policyDefinitionReferenceId: "Deny-AppService-Slots-Remote-Debugging",
definitionVersion: 1.*.*1.1.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceAppSlotsRemoteDebugging')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a App Service Environment should be provisioned with latest versions ,
policyDefinitionReferenceId: "Deny-AppService-Latest-Version",
definitionVersion: 1.*.*1.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceEnvLatestVersion')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5 App Service apps should enable configuration routing to Azure Virtual Network ,
policyDefinitionReferenceId: "Deny-AppService-Vnet-Routing",
definitionVersion: 1.*.*1.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceAppsVnetRouting')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1 App Service app slots should enable outbound non-RFC 1918 traffic to Azure Virtual Network ,
policyDefinitionReferenceId: "Deny-AppService-Rfc",
definitionVersion: 1.*.*1.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceRfc')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222 App Service apps should enable outbound non-RFC 1918 traffic to Azure Virtual Network ,
policyDefinitionReferenceId: "Deny-AppServiceApps-Rfc",
definitionVersion: 1.*.*1.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceAppsRfc')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb Configure Function app slots to turn off remote debugging ,
policyDefinitionReferenceId: "DINE-FuncApp-Debugging",
definitionVersion: 1.*.*1.1.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('functionAppDebugging')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79 Configure App Service apps to disable local authentication for SCM sites ,
policyDefinitionReferenceId: "DINE-AppService-ScmAuth",
definitionVersion: 1.*.*1.0.3,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceScmAuth')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4 App Service app slots should enable configuration routing to Azure Virtual Network ,
policyDefinitionReferenceId: "Deny-AppServ-Routing",
definitionVersion: 1.*.*1.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceRouting')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5 Configure App Service apps to disable local authentication for FTP deployments ,
policyDefinitionReferenceId: "Deny-AppServ-FtpAuth",
definitionVersion: 1.*.*1.0.3,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceDisableLocalAuthFtp')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5 App Service apps should use a SKU that supports private link ,
policyDefinitionReferenceId: "Deny-AppServ-SkuPl",
definitionVersion: 4.*.*4.2.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceSkuPl')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae Configure App Service app slots to disable local authentication for SCM sites ,
policyDefinitionReferenceId: "DINE-AppService-LocalAuth",
definitionVersion: 1.*.*1.0.3,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceDisableLocalAuth')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b Configure Function apps to turn off remote debugging ,
policyDefinitionReferenceId: "DINE-AppService-Debugging",
definitionVersion: 1.*.*1.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('functionAppDebugging')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b Configure Function app slots to only be accessible over HTTPS ,
policyDefinitionReferenceId: "Modify-Function-Apps-Slots-Https",
definitionVersion: 2.*.*2.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('functionAppSlotsModifyHttps')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63 Configure App Service apps to only be accessible over HTTPS ,
policyDefinitionReferenceId: "Modify-AppService-Https",
definitionVersion: 2.*.*2.0.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceAppHttps')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c Configure Function app slots to disable public network access ,
policyDefinitionReferenceId: "Modify-Function-Apps-Slots-Public-Network-Access",
definitionVersion: 1.*.*1.1.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('functionAppSlotsModifyPublicNetworkAccess')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c Configure App Service apps to disable public network access ,
policyDefinitionReferenceId: "Modify-AppService-Apps-Public-Network-Access",
definitionVersion: 1.*.*1.1.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceAppsModifyPublicNetworkAccess')]"
}
}
},
{5 itemspolicyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee Configure App Service app slots to disable public network access ,
policyDefinitionReferenceId: "Modify-AppService-App-Public-Network-Access",
definitionVersion: 1.*.*1.1.0,
groupNames: [],
parameters: {1 itemeffect: {1 itemvalue: "[parameters('appServiceAppModifyPublicNetworkAccess')]"
}
}
}
],
policyDefinitionGroups: null
}