Out of date built-in policies

[nubgamerz]

Hello

Not sure if this is the right place to post, but we'll see.

I have found issues with some built-in policies. They have not been updated in quite some time.

Deploy Log Analytics extension for Linux VMs - /providers/Microsoft.Authorization/policyDefinitions/053d3325-282c-4e5c-b944-24faffd30d77

Issue with this policy is the scope. It includes imageOffer types that do not exist.

For example:

{ "field": "Microsoft.Compute/imagePublisher", "equals": "RedHat" }, { "field": "Microsoft.Compute/imageOffer", "in": [ "RHEL", "RHEL-SAP-HANA" ] },

At least for WestEurope region (I have not checked others), the offer "RHEL-SAP-HANA" does not exist.

Using Get-AzVMImageOffer -publisherName 'RedHat' -location WestEurope | Select-Object {$_.Offer}

Returns the following:

` $_.Offer

alfredtestoffer ocp-worker oke-worker opp-worker osa rh-ocp-worker rh-oke-worker rh-opp-worker rh-rhel rh-rhel-7-main-2 rh-rhel-8-main-2 rh-rhel-main-2 RHEL rhel-arm64 rhel-byos rhel-byos-test rhel-cpp-test RHEL-HA rhel-raw RHEL-SAP RHEL-SAP-APPS RHEL-SAP-HA rhel-sig-publishing-test RHEL-TEST rh_rhel_7_latest rh_rhel_7_vm rh_rhel_8_latest rh_rhel_8_main_1 rh_rhel_8_vm sp-test-oke-worker TEST-DO-NOT-USE test_offer_china `

RHEL-SAP-HANA does not exist in that list.

On top of that, comparing the other scopes as well with the supported OS versions: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview

Not only are a number of image SKU's missing that could have the MMA agent installed, but in some areas it's targeting OS versions that don't support it

We can also take a look at Deploy Dependency agent for Linux virtual machines - /providers/Microsoft.Authorization/policyDefinitions/4da21710-ce6f-4e06-8cdb-5cc4c93ffbee

If we look at the Ubuntu SKU's in scope, it includes 14.04

But if we compare that with the documentation: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview

14.04 does not support the installation of the dependency agent. Only 16.04, 18.04 and 20.04.

There are a number of other scoping issues as well, it would take me far too long to list them all.

Either the MS Documentation is not up to date, or the policies have not been updated to coincide with the documentation.

Please investigate.

For now, I have created custom policies using correct scoping and imageOffers/ SKU's in accordance with the MS Documentation.

If this is the wrong place to raise this issue, please direct me to where this should be posted. As I'd say this is quite a critical issue, as these policies are GA, but have incorrect settings.

[nehakulkarni123]

Hi @nubgamerz , the majority of Azure Policy built-in definitions are owned by various Azure services. I'll pass on your request to the correct Azure service so that they can update this issue with the appropriate guidance.