Governance Policies Azure AI Bot Service - Azure/az-prototype GitHub Wiki
Governance policies for Bot Service
Domain: azure-ai
| Name | Description |
|---|---|
| Bot Service with managed identity and secure Direct Line | Azure Bot with user-assigned identity, enhanced auth, and trusted origins |
| Description | Instead |
|---|---|
| Do not use MSA app passwords for bot authentication | Use msaAppType=UserAssignedMSI with a user-assigned managed identity |
| Do not enable Direct Line V1 protocol | Use V3 with isSecureSiteEnabled=true and configure trustedOrigins |
| Check | Severity | Description |
|---|---|---|
| AZ-BOT-001 | Required | Deploy Azure Bot Service with managed identity and isolated network configuration |
| AZ-BOT-002 | Required | Configure Direct Line channels with enhanced authentication and trusted origins |
| AZ-BOT-003 | Recommended | Enable Application Insights for bot telemetry and conversation analytics |
Deploy Azure Bot Service with managed identity and isolated network configuration
Severity: Required
Rationale: Bot Service handles user conversations; managed identity removes credential management for backend connections
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.BotService/botServices
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.ManagedIdentity/userAssignedIdentities | id-bot | User-assigned managed identity for Bot Service MSA authentication |
| Microsoft.BotService/botServices/channels | DirectLineChannel | Direct Line channel with enhanced authentication for secure client communication |
| Microsoft.Insights/diagnosticSettings | diag-bot | Diagnostic settings to route bot activity logs to Log Analytics |
Configure Direct Line channels with enhanced authentication and trusted origins
Severity: Required
Rationale: Enhanced authentication prevents token theft and ensures only trusted origins can embed the bot
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.BotService/botServices
Enable Application Insights for bot telemetry and conversation analytics
Severity: Recommended
Rationale: Bot telemetry provides conversation flow analysis, error tracking, and user engagement metrics
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.BotService/botServices