Governance Policies Azure Data Stream Analytics

Stream Analytics

Governance policies for Stream Analytics

Domain: azure-data

Patterns

Name	Description
Stream Analytics job with managed identity and diagnostics	Production ASA job using managed identity for all connections

Anti-Patterns

Description	Instead
Do not use connection strings for input/output authentication	Use managed identity (authenticationMode: Msi) for all data connections
Do not set outputErrorPolicy to Drop without explicit error handling	Use Stop policy and configure alerts on error metrics

References

• Stream Analytics documentation
• Stream Analytics managed identity

---

Checks (4)

Check	Severity	Description
AZ-ASA-001	Required	Deploy Stream Analytics job with Standard SKU, managed identity, and secure networking
AZ-ASA-002	Required	Use managed identity for all input and output connections
AZ-ASA-003	Recommended	Deploy Stream Analytics in a dedicated cluster for VNet isolation
AZ-ASA-004	Recommended	Enable diagnostic settings for Stream Analytics job metrics and logs

---

AZ-ASA-001

Deploy Stream Analytics job with Standard SKU, managed identity, and secure networking

Severity: Required
Rationale: Managed identity eliminates connection strings; Standard SKU supports production workloads
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.StreamAnalytics/streamingJobs

Companion Resources

Resource	Name	Purpose
Microsoft.Storage/storageAccounts	st-asa-checkpoint	Storage account for Stream Analytics job checkpointing and state storage
Microsoft.StreamAnalytics/streamingJobs/inputs	asa-input	Input binding connecting the job to its event source (Event Hub, IoT Hub, etc.)
Microsoft.StreamAnalytics/streamingJobs/outputs	asa-output	Output binding connecting the job to its destination (Cosmos DB, SQL, Blob, etc.)
Microsoft.StreamAnalytics/clusters	asa-cluster	Dedicated cluster for VNet isolation of Stream Analytics jobs
Microsoft.Insights/diagnosticSettings	diag-asa	Diagnostic settings routing execution and authoring logs to Log Analytics

---

AZ-ASA-002

Use managed identity for all input and output connections

Severity: Required
Rationale: Connection strings with keys are insecure and hard to rotate; managed identity is zero-credential
Agents: terraform-agent, bicep-agent, cloud-architect, app-developer, csharp-developer, python-developer

Targets

• Microsoft.StreamAnalytics/streamingJobs

Companion Resources

Resource	Name	Purpose
Microsoft.Authorization/roleAssignments	ASA Data Reader/Sender	Data reader/sender roles granting ASA managed identity access to input/output resources

---

AZ-ASA-003

Deploy Stream Analytics in a dedicated cluster for VNet isolation

Severity: Recommended
Rationale: Dedicated clusters support private endpoints and VNet integration for network isolation
Agents: terraform-agent, bicep-agent, cloud-architect

Targets

• Microsoft.StreamAnalytics/streamingJobs

Companion Resources

Resource	Name	Purpose
Microsoft.Network/privateEndpoints	pe-asa-cluster	Private endpoints connecting the ASA cluster to input and output resources

---

AZ-ASA-004

Enable diagnostic settings for Stream Analytics job metrics and logs

Severity: Recommended
Rationale: Monitor watermark delay, input/output events, and runtime errors
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent

Targets

• Microsoft.StreamAnalytics/streamingJobs

Companion Resources

Resource	Name	Purpose
Microsoft.OperationalInsights/workspaces	log-analytics	Log Analytics workspace as destination for Stream Analytics diagnostic data

---