Azure Policies are the new silver bullet for all things governance: Last week (November 10, 2018) a new policy was introduced that can audit installed applications inside virtual machines (see intro post).
I wanted to know wether it is possible to detect software that should not be installed. Imagine you want to discover all servers where a specific version is installed that ran out of support. Or maybe a software that has not been approved yet. There are many of those scenarios.
The Azure Marketplace easily enables us to add new types of VMs to any Azure environment. Sometimes those VMs can have additional charges that were not approved. Sometimes those VMs come from a 3rd party source that was not approved.
Unfortunately the Azure Marketplace can only be disabled or enabled for EA (Enterprise Agreement) customers according to the Marketplace FAQ, by now. This situation is far from ideal from a governance perspective.
In this post I will show you how to use the Azure Policy service to audit or even deny the creation of those VMs.