Azure Policy built-in definitions for Azure Cognitive Search

This page is an index of Azure Policy built-in policy definitions for Azure Cognitive Search. For additional Azure Policy built-ins for other services, see Azure Policy built-in definitions.

The name of each built-in policy definition links to the policy definition in th Azure portal. Use the link in the Version column to view the source on the Azure Policy GitHub repo.

Name
(Azure portal)
Description Effect(s) Version
(GitHub)
[Preview]: Azure AI Search Service should be Zone Redundant Azure AI Search Service can be configured to be Zone Redundant or not. Availability zones are used when you add two or more replicas to your search service. Each replica is placed in a different availability zone within the region. Audit, Deny, Disabled 1.0.0-preview
Azure AI Services resources should have key access disabled (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth Audit, Deny, Disabled 1.1.0
Azure AI Services resources should restrict network access By restricting network access, you can ensure that only allowed networks can access the service. This can be achieved by configuring network rules so that only applications from allowed networks can access the Azure AI service. Audit, Deny, Disabled 3.2.0
Azure AI Services resources should use Azure Private Link Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform reduces data leakage risks by handling the connectivity between the consumer and services over the Azure backbone network. Learn more about private links at: https://aka.ms/AzurePrivateLink/Overview Audit, Disabled 1.0.0
Azure Cognitive Search service should use a SKU that supports private link With supported SKUs of Azure Cognitive Search, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Search service, data leakage risks are reduced. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should disable public network access Disabling public network access improves security by ensuring that your Azure Cognitive Search service is not exposed on the public internet. Creating private endpoints can limit exposure of your Search service. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should have local authentication methods disabled Disabling local authentication methods improves security by ensuring that Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Note that while the disable local authentication parameter is still in preview, the deny effect for this policy may result in limited Azure Cognitive Search portal functionality since some features of the Portal use the GA API which does not support the parameter. Audit, Deny, Disabled 1.0.0
Azure Cognitive Search services should use customer-managed keys to encrypt data at rest Enabling encryption at rest using a customer-managed key on your Azure Cognitive Search services provides additional control over the key used to encrypt data at rest. This feature is often applicable to customers with special compliance requirements to manage data encryption keys using a key vault. Audit, Deny, Disabled 1.0.0
Configure Azure AI Services resources to disable local key access (disable local authentication) Key access (local authentication) is recommended to be disabled for security. Azure OpenAI Studio, typically used in development/testing, requires key access and will not function if key access is disabled. After disabling, Microsoft Entra ID becomes the only access method, which allows maintaining minimum privilege principle and granular control. Learn more at: https://aka.ms/AI/auth DeployIfNotExists, Disabled 1.0.0
Configure Azure Cognitive Search services to disable local authentication Disable local authentication methods so that your Azure Cognitive Search services exclusively require Azure Active Directory identities for authentication. Learn more at: https://aka.ms/azure-cognitive-search/rbac. Modify, Disabled 1.0.0
Configure Azure Cognitive Search services to disable public network access Disable public network access for your Azure Cognitive Search service so that it is not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. Modify, Disabled 1.0.0
Configure Azure Cognitive Search services with private endpoints Private endpoints connect your virtual network to Azure services without a public IP address at the source or destination. By mapping private endpoints to your Azure Cognitive Search service, you can reduce data leakage risks. Learn more at: https://aka.ms/azure-cognitive-search/inbound-private-endpoints. DeployIfNotExists, Disabled 1.0.0
Deploy Diagnostic Settings for Search Services to Event Hub Deploys the diagnostic settings for Search Services to stream to a regional Event Hub when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 2.0.0
Deploy Diagnostic Settings for Search Services to Log Analytics workspace Deploys the diagnostic settings for Search Services to stream to a regional Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. DeployIfNotExists, Disabled 1.0.0
Diagnostic logs in Azure AI services resources should be enabled Enable logs for Azure AI services resources. This enables you to recreate activity trails for investigation purposes, when a security incident occurs or your network is compromised AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Search services (microsoft.search/searchservices) to Event Hub Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Search services (microsoft.search/searchservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Search services (microsoft.search/searchservices) to Log Analytics Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Search services (microsoft.search/searchservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Enable logging by category group for Search services (microsoft.search/searchservices) to Storage Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Storage Account for Search services (microsoft.search/searchservices). DeployIfNotExists, AuditIfNotExists, Disabled 1.0.0
Resource logs in Search services should be enabled Audit enabling of resource logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised AuditIfNotExists, Disabled 5.0.0

Next steps