Azure Policy: Targeting Linux or Windows App Services
When creating Azure Policies for App Services, you often need to apply different configurations or requirements based on the operating system. This guide explains how to target Linux or Windows App Services specifically.
Recommended Approach: Using the reserved Property
The easiest and most reliable way to determine the OS of an App Service is by using the Microsoft.Web/sites/reserved field:
- Windows App Services:
reserved = false - Linux App Services:
reserved = true
Example: Windows App Service Policy
json
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"field": "kind",
"notContains": "functionapp"
},
{
"field": "Microsoft.Web/sites/reserved",
"equals": false
}
]
}
}Example: Linux App Service Policy
json
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Web/sites"
},
{
"field": "kind",
"notContains": "functionapp"
},
{
"field": "Microsoft.Web/sites/reserved",
"equals": true
}
]
}
}Alternative Approach: Using the kind Field
You can also differentiate between operating systems using the kind field:
For Linux App Services:
json
{
"field": "kind",
"contains": "linux"
}For Windows App Services:
json
{
"field": "kind",
"notContains": "linux"
}Best Practices
- Use the
reservedproperty for the most straightforward and reliable OS detection - Exclude function apps if your policy should only apply to web apps by adding:
json
{
"field": "kind",
"notContains": "functionapp"
}- Test your policies in audit mode before deploying with
deployIfNotExiststo ensure they target the correct resources
Common Use Cases
- Enabling different diagnostic log categories (Windows uses HTTP logs, Linux uses Console logs)
- Applying OS-specific security configurations
- Setting up different monitoring or compliance requirements based on the platform
About Author
