Skip to main content

General availability: New Azure Policy built-in definitions for data encryption in Azure Monitor

Published date: April 14, 2021

Customer managed keys are useful to your scenarios if you have special compliance requirements and need to manage keys in your Azure Key Vault. With Azure Policy, you can enforce organizational standards and assess compliance of data encryption settings in your environment. Azure Monitor now provides built-in policy definitions for data encryption governance and control over the key being used by the encryption at rest.

Available built-in policy definitions for data encryption:

  • Azure Monitor logs clusters should be encrypted with customer-managed key – Audit if log qnalytics cluster is defined with customer-managed key.
  • Azure Monitor logs clusters should be created with infrastructure-encryption enabled (double encryption) – Audit log analytics cluster is created with Infrastructure enabled.
  • Azure Monitor logs for application insights should be linked to a log analytics workspace – Audit if application insights is linked to store data in log analytics workspace. Workspace can then be linked to a log analytics cluster for customer-managed key settings.
  • Saved-queries in Azure Monitor should be saved in customer storage account for logs encryption – Audit if workspace has linked storage account, which allows the encryption using customer-managed key.

Learn ore about data encryption.

Learn more about customer managed keys.


  • Azure Monitor
  • Azure Policy
  • Features
  • Management