{ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "targetMG": { "type": "string", "metadata": { "description": "Target Management Group" } }, "deniedPorts": { "type": "Array", "metadata": { "displayName": "Ports to block", "description": "The inbound ports that should be blocked" } } }, "variables": { "mgScope": "[tenantResourceId('Microsoft.Management/managementGroups', parameters('targetMG'))]", "policyDefinitionName": "NSGRestriction" }, "resources": [ { "type": "Microsoft.Authorization/policyDefinitions", "name": "[variables('policyDefinitionName')]", "apiVersion": "2019-09-01", "properties": { "policyType": "Custom", "mode": "All", "parameters": { }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Network/networkSecurityGroups/securityRules" }, { "allOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/access", "equals": "Allow" }, { "field": "Microsoft.Network/networkSecurityGroups/securityRules/direction", "equals": "Inbound" }, { "anyOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange", "in": "[parameters('deniedPorts')]" }, { "not": { "field": "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]", "notIn": "[parameters('deniedPorts')]" } } ] }, { "anyOf": [ { "field": "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix", "in": [ "*", "Internet" ] } ] } ] } ] }, "then": { "effect": "deny" } } } }, { "type": "Microsoft.Authorization/policyAssignments", "name": "nsg-restriction", "apiVersion": "2019-09-01", "dependsOn": [ "[variables('policyDefinitionName')]" ], "properties": { "scope": "[variables('mgScope')]", "policyDefinitionId": "[extensionResourceId(variables('mgScope'), 'Microsoft.Authorization/policyDefinitions', variables('policyDefinitionName'))]" } } ] }