Enforce recommended guardrails for Open AI (Cognitive Service)

Azure Landing Zones (ALZ) Policy Initiative (PolicySet)

Policy types

Policy states

Policy categories

Total Policies: 11
Builtin Policies: 9
Static Policies: 0
ALZ Policies: 2

GA: 11

2 categories:

Azure Ai Services: 6
Cognitive Services: 5

Rows: 1-10 / 11

Records:

Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.3

https://www.tablefilter.com/
©2015-2025 Max Guglielmi

Page of 2

Policy DisplayName

Policy Id

Category

Effect

Roles#

Roles

State

Type

policy in AzUSGov

Azure AI Services resources should have key access disabled (disable local authentication)

71ef260a-8f18-47b7-abcb-62d0673d94dc

Azure Ai Services

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

true

Azure AI Services resources should restrict network access

037eea7a-bd0a-46c5-9a66-03aea78705d3

Azure Ai Services

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

true

Azure AI Services resources should use Azure Private Link

d6759c02-b87f-42b7-892e-71b3f471d782

Azure Ai Services

Default
Audit
Allowed
Audit, Disabled

BuiltIn

true

Cognitive Services accounts should use a managed identity

fe3fd216-4f83-4fc1-8984-2bbec80a3418

Cognitive Services

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

unknown

Cognitive Services accounts should use customer owned storage

46aa9b05-0e60-4eae-a88b-1e9d374fa515

Cognitive Services

Default
Audit
Allowed
Audit, Deny, Disabled

BuiltIn

unknown

Configure Azure AI Services resources to disable local key access (disable local authentication)

d45520cb-31ca-44ba-8da2-fcf914608544

Azure Ai Services

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Cognitive Services Contributor, Cognitive Services OpenAI Contributor, Search Service Contributor

BuiltIn

unknown

Configure Azure AI Services resources to disable local key access (disable local authentication)

55eff01b-f2bd-4c32-9203-db285f709d30

Azure Ai Services

Default
DeployIfNotExists
Allowed
DeployIfNotExists, Disabled

Cognitive Services Contributor, Cognitive Services OpenAI Contributor

BuiltIn

unknown

Configure Cognitive Services accounts to disable local authentication methods

14de9e63-1b31-492e-a5a3-c3f7fd57f555

Cognitive Services

Default
Modify
Allowed
Modify, Disabled

Contributor

BuiltIn

unknown

Diagnostic logs in Azure AI services resources should be enabled

1b4d1c4e-934c-4703-944c-27c82c06bebb

Azure Ai Services

Default
AuditIfNotExists
Allowed
AuditIfNotExists, Disabled

BuiltIn

true

Network ACLs should be restricted for Cognitive Services

Deny-CognitiveServices-NetworkAcls

Cognitive Services

Default
Deny
Allowed
Audit, Deny, Disabled

ALZ

Role

Role Id

#Policies

Policies

Contributor

b24988ac-6180-42a0-ab88-20f7382dd24c

Configure Cognitive Services accounts to disable local authentication methods

Cognitive Services OpenAI Contributor

a001fd3d-188f-4b5d-821b-7da978bf7442

Configure Azure AI Services resources to disable local key access (disable local authentication), Configure Azure AI Services resources to disable local key access (disable local authentication)

Cognitive Services Contributor

25fbc0a9-bd7c-42a3-aa1a-3b75d497ee68

Configure Azure AI Services resources to disable local key access (disable local authentication), Configure Azure AI Services resources to disable local key access (disable local authentication)

Search Service Contributor

7ca78c08-252a-4471-8644-bb5ff32d4ba0

Configure Azure AI Services resources to disable local key access (disable local authentication)

{

policyType: "Custom",
displayName: "Enforce recommended guardrails for Open AI (Cognitive Service)",
description: "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.",
metadata: {4 items
- version: "1.2.0",
- category: "Cognitive Services",
- source: "https://github.com/Azure/Enterprise-Scale/",
- alzCloudEnvironments: [3 items
  - "AzureCloud",
  - "AzureChinaCloud",
  - "AzureUSGovernment"
  ]
},
parameters: {11 items
- cognitiveServicesOutboundNetworkAccess: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- cognitiveServicesNetworkAcls: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- cognitiveServicesModifyDisableLocalAuth: {3 items
  - type: "string",
  - defaultValue: "Modify",
  - allowedValues: [2 items
    - "Modify",
    - "Disabled"
    ]
  },
- cognitiveServicesDisableLocalAuth: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- cognitiveServicesCustomerStorage: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- cognitiveServicesManagedIdentity: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- azureAiNetworkAccess: {3 items
  - type: "string",
  - defaultValue: "Deny",
  - allowedValues: [3 items
    - "Audit",
    - "Deny",
    - "Disabled"
    ]
  },
- azureAiPrivateLink: {3 items
  - type: "string",
  - defaultValue: "Audit",
  - allowedValues: [2 items
    - "Audit",
    - "Disabled"
    ]
  },
- azureAiDisableLocalKey: {3 items
  - type: "string",
  - defaultValue: "DeployIfNotExists",
  - allowedValues: [2 items
    - "DeployIfNotExists",
    - "Disabled"
    ]
  },
- azureAiDisableLocalKey2: {3 items
  - type: "string",
  - defaultValue: "DeployIfNotExists",
  - allowedValues: [2 items
    - "DeployIfNotExists",
    - "Disabled"
    ]
  },
- azureAiDiagSettings: {3 items
  - type: "string",
  - defaultValue: "AuditIfNotExists",
  - allowedValues: [2 items
    - "AuditIfNotExists",
    - "Disabled"
    ]
  }
},
policyDefinitions: [11 items
- {5 items
  - policyDefinitionId: "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess",
  - policyDefinitionReferenceId: "Deny-OpenAi-OutboundNetworkAccess",
  - definitionVersion: "1.*.*",
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('cognitiveServicesOutboundNetworkAccess')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls",
  - policyDefinitionReferenceId: "Deny-OpenAi-NetworkAcls",
  - definitionVersion: "1.*.*",
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('cognitiveServicesNetworkAcls')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418 Cognitive Services accounts should use a managed identity ,
  - policyDefinitionReferenceId: "Deny-Cognitive-Services-Managed-Identity",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('cognitiveServicesManagedIdentity')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc Azure AI Services resources should have key access disabled (disable local authentication) ,
  - policyDefinitionReferenceId: "Deny-Cognitive-Services-Local-Auth",
  - definitionVersion: 1.*.*1.1.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('cognitiveServicesDisableLocalAuth')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515 Cognitive Services accounts should use customer owned storage ,
  - policyDefinitionReferenceId: "Deny-Cognitive-Services-Cust-Storage",
  - definitionVersion: 2.*.*2.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('cognitiveServicesCustomerStorage')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555 Configure Cognitive Services accounts to disable local authentication methods ,
  - policyDefinitionReferenceId: "Modify-Cognitive-Services-Local-Auth",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('cognitiveServicesModifyDisableLocalAuth')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3 Azure AI Services resources should restrict network access ,
  - policyDefinitionReferenceId: "Deny-AzureAI-Network-Access",
  - definitionVersion: 3.*.*3.2.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('azureAiNetworkAccess')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782 Azure AI Services resources should use Azure Private Link ,
  - policyDefinitionReferenceId: "Audit-AzureAI-Private-Link",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('azureAiPrivateLink')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544 Configure Azure AI Services resources to disable local key access (disable local authentication) ,
  - policyDefinitionReferenceId: "Dine-AzureAI-Local-Key",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('azureAiDisableLocalKey')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30 Configure Azure AI Services resources to disable local key access (disable local authentication) ,
  - policyDefinitionReferenceId: "Dine-AzureAI-Local-Key2",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('azureAiDisableLocalKey2')]"
      }
    }
  },
- {5 items
  - policyDefinitionId: /providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb Diagnostic logs in Azure AI services resources should be enabled ,
  - policyDefinitionReferenceId: "Aine-AzureAI-Diag-Settings",
  - definitionVersion: 1.*.*1.0.0,
  - groupNames: [],
  - parameters: {1 item
    - effect: {1 item
      - value: "[parameters('azureAiDiagSettings')]"
      }
    }
  }
],
policyDefinitionGroups: null

}