General - oWretch/policy GitHub Wiki

Policy Effects by Policy

Category	Policy	Production	Decommissioned	Sandbox
General	Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.		deny
General	Audit usage of custom RBAC roles Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling	Audit Disabled
General	Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources.			Deny Disabled Audit

Category	Policy	Platform	Landing Zones	Production	Decommissioned	Management	Corp	Connectivity	Sandbox	Identity
General	Allowed resource types This policy enables you to specify the resource types that your organization can deploy. Only resource types that support 'tags' and 'location' will be affected by this policy. To restrict all resources please duplicate this policy and change the 'mode' to 'All'.				listOfResourceTypesAllowed = `["microsoft.consumption/tags", "microso...`
General	Not allowed resource types Restrict which resource types can be deployed in your environment. Limiting resource types can reduce the complexity and attack surface of your environment while also helping to manage costs. Compliance results are only shown for non-compliant resources.								listOfResourceTypesNotAllowed = `["microsoft.network/expressroutecircuit...`