Governance Policies Azure Management Communication Services - Azure/az-prototype GitHub Wiki
Governance policies for Communication Services
Domain: azure-management
| Name | Description |
|---|---|
| Communication Services with email and managed identity | ACS resource with email service, custom domain, managed identity, and diagnostic logging |
| Description | Instead |
|---|---|
| Do not embed access keys in client applications | Use server-side token issuance with CommunicationIdentityClient to generate scoped user tokens |
| Do not use Azure-managed domains for production email | Configure customer-managed domains with DKIM, SPF, and DMARC verification |
| Check | Severity | Description |
|---|---|---|
| AZ-ACS-001 | Required | Deploy Azure Communication Services with managed identity and disabled access key authentication |
| AZ-ACS-002 | Required | Set dataLocation to match compliance requirements for data residency |
| AZ-ACS-003 | Required | Use user access tokens for client applications — never expose connection strings to clients |
| AZ-ACS-004 | Recommended | Configure custom domains with DKIM and SPF for email sending |
| AZ-ACS-005 | Recommended | Enable diagnostic logging for all communication modalities |
Deploy Azure Communication Services with managed identity and disabled access key authentication
Severity: Required
Rationale: Access keys grant full control and cannot be scoped; managed identity with RBAC provides auditable access
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Communication/communicationServices
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Communication/emailServices | email-service | Email Communication Service for email sending capabilities |
| Microsoft.Communication/emailServices/domains | email-domain | Email domain with DKIM, SPF, and DMARC configuration for verified sending |
| Microsoft.Insights/diagnosticSettings | diag-acs | Diagnostic settings for chat, SMS, voice, and email operation logs |
| Microsoft.Authorization/roleAssignments | Communication Service Contributor | RBAC role assignment for ACS resource management |
Set dataLocation to match compliance requirements for data residency
Severity: Required
Rationale: Communication data (chat transcripts, call recordings) must reside in the correct geography for regulatory compliance
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Communication/communicationServices
Use user access tokens for client applications — never expose connection strings to clients
Severity: Required
Rationale: Connection strings grant full access; user tokens are scoped, short-lived, and tied to identity
Agents: cloud-architect, app-developer, csharp-developer, python-developer
- Microsoft.Communication/communicationServices
Configure custom domains with DKIM and SPF for email sending
Severity: Recommended
Rationale: Azure-managed domains have sending limits and cannot be customized; custom domains improve deliverability
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Communication/communicationServices
Enable diagnostic logging for all communication modalities
Severity: Recommended
Rationale: Logs enable troubleshooting, usage analytics, and compliance auditing for chat, SMS, voice, and email
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Communication/communicationServices