From 6129009b7003e4428749442f890affe459f80f52 Mon Sep 17 00:00:00 2001 From: Anthony Watherston Date: Fri, 10 May 2024 12:19:08 +1000 Subject: [PATCH] Update ALZ assignment files (#628) Co-authored-by: Anthony Watherston --- Docs/integrating-with-alz.md | 3 + .../policyAssignments/ALZ-Corp-Default.jsonc | 91 +++--- .../ALZ-LandingZones-Default.jsonc | 303 +++++++++++++++++- .../ALZ-Management-Default.jsonc | 37 +++ .../ALZ-Platform-Default.jsonc | 284 ++++++++++++++++ .../policyAssignments/ALZ-Root-Default.jsonc | 83 ++--- .../ALZ-Sandbox-Default.jsonc | 21 +- 7 files changed, 708 insertions(+), 114 deletions(-) create mode 100644 Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Management-Default.jsonc diff --git a/Docs/integrating-with-alz.md b/Docs/integrating-with-alz.md index 67a4611d..79a89709 100644 --- a/Docs/integrating-with-alz.md +++ b/Docs/integrating-with-alz.md @@ -182,6 +182,9 @@ To deploy the ALZ policies using EPAC follow the steps below. 6. Update assignment parameters. +> [!WARNING] +> Carefully review the parameters and policies deployed as they have recently changed. Review each asssignment file carefully and ensure all parameter values are completed. Due to changes in usage of the Azure Monitor Agent - there are some Data Collection Rules that must be deployed prior to assigning the policies - the source for these DCRs are provided in the assignment file parameter comments. + Several of the assignment files also have parameters which need to be in place. Pay attention to the requirements about having a Log Analytics workspace deployed prior to assigning these policies as it is a requirement for several of the assignments. Less generic parameters are also available for modification in the assignment files. 7. Follow the normal steps to deploy the solution to the environment. diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc index 5b645957..18e7db1c 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Corp-Default.jsonc @@ -44,58 +44,58 @@ // but modify to reference your connectivity subscription. // Also update additionalRoleAssignments block to ensure your connectivity subscription Id is referenced. // If you don't require this then remove the assignment block. - "azureFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.afs.azure.net", - "azureAutomationWebhookPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net", - "azureAutomationDSCHybridPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net", - "azureCosmosSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.documents.azure.com", - "azureCosmosMongoPrivateDnsZoneId": "--DNSZonePrefix--privatelink.mongo.cosmos.azure.com", - "azureCosmosCassandraPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cassandra.cosmos.azure.com", - "azureCosmosGremlinPrivateDnsZoneId": "--DNSZonePrefix--privatelink.gremlin.cosmos.azure.com", - "azureCosmosTablePrivateDnsZoneId": "--DNSZonePrefix--privatelink.table.cosmos.azure.com", - "azureDataFactoryPrivateDnsZoneId": "--DNSZonePrefix--privatelink.datafactory.azure.net", - "azureDataFactoryPortalPrivateDnsZoneId": "--DNSZonePrefix--privatelink.adf.azure.com", - "azureDatabricksPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azuredatabricks.net", - "azureHDInsightPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurehdinsight.net", - "azureMigratePrivateDnsZoneId": "--DNSZonePrefix--privatelink.prod.migration.windowsazure.com", - "azureStorageBlobPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net", - "azureStorageBlobSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net", - "azureStorageQueuePrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net", - "azureStorageQueueSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net", - "azureStorageFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.file.core.windows.net", - "azureStorageStaticWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net", - "azureStorageStaticWebSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net", - "azureStorageDFSPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net", "azureStorageDFSSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net", - "azureSynapseSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net", - "azureSynapseSQLODPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net", + "azureIotPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices-provisioning.net", "azureSynapseDevPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dev.azuresynapse.net", - "azureMediaServicesKeyPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net", - "azureMediaServicesLivePrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net", - "azureMediaServicesStreamPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net", - "azureMonitorPrivateDnsZoneId1": "--DNSZonePrefix--privatelink.monitor.azure.com", - "azureMonitorPrivateDnsZoneId2": "--DNSZonePrefix--privatelink.oms.opinsights.azure.com", - "azureMonitorPrivateDnsZoneId3": "--DNSZonePrefix--privatelink.ods.opinsights.azure.com", - "azureMonitorPrivateDnsZoneId4": "--DNSZonePrefix--privatelink.agentsvc.azure-automation.net", - "azureMonitorPrivateDnsZoneId5": "--DNSZonePrefix--privatelink.blob.core.windows.net", + "azureSynapseSQLODPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net", + "azureIotHubsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices.net", + "azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net", + "azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net", + "azureMigratePrivateDnsZoneId": "--DNSZonePrefix--privatelink.prod.migration.windowsazure.com", + "azureCognitiveServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cognitiveservices.azure.com", + "azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io", + "azureDiskAccessPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net", "azureWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.webpubsub.azure.com", + "azureCosmosMongoPrivateDnsZoneId": "--DNSZonePrefix--privatelink.mongo.cosmos.azure.com", "azureBatchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.batch.azure.com", + "azureStorageQueuePrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net", + "azureMonitorPrivateDnsZoneId5": "--DNSZonePrefix--privatelink.blob.core.windows.net", "azureAppPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azconfig.io", + "azureStorageDFSPrivateDnsZoneId": "--DNSZonePrefix--privatelink.dfs.core.windows.net", + "azureDataFactoryPrivateDnsZoneId": "--DNSZonePrefix--privatelink.datafactory.azure.net", + "azureCosmosGremlinPrivateDnsZoneId": "--DNSZonePrefix--privatelink.gremlin.cosmos.azure.com", "azureAsrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.siterecovery.windowsazure.com", - "azureIotPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices-provisioning.net", + "azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net", + "azureMediaServicesKeyPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net", + "azureStorageFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.file.core.windows.net", + "azureDatabricksPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azuredatabricks.net", + "azureStorageStaticWebSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net", + "azureStorageBlobSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net", + "azureCosmosSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.documents.azure.com", + "azureMonitorPrivateDnsZoneId2": "--DNSZonePrefix--privatelink.oms.opinsights.azure.com", "azureKeyVaultPrivateDnsZoneId": "--DNSZonePrefix--privatelink.vaultcore.azure.net", - "azureSignalRPrivateDnsZoneId": "--DNSZonePrefix--privatelink.service.signalr.net", - "azureAppServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurewebsites.net", "azureEventGridTopicsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net", - "azureDiskAccessPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net", - "azureCognitiveServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cognitiveservices.azure.com", - "azureIotHubsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-devices.net", + "azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms", "azureEventGridDomainsPrivateDnsZoneId": "--DNSZonePrefix--privatelink.eventgrid.azure.net", + "azureMediaServicesStreamPrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net", + "azureMonitorPrivateDnsZoneId1": "--DNSZonePrefix--privatelink.monitor.azure.com", + "azureSynapseSQLPrivateDnsZoneId": "--DNSZonePrefix--privatelink.sql.azuresynapse.net", + "azureFilePrivateDnsZoneId": "--DNSZonePrefix--privatelink.afs.azure.net", + "azureHDInsightPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurehdinsight.net", + "azureCosmosCassandraPrivateDnsZoneId": "--DNSZonePrefix--privatelink.cassandra.cosmos.azure.com", + "azureMonitorPrivateDnsZoneId3": "--DNSZonePrefix--privatelink.ods.opinsights.azure.com", + "azureMediaServicesLivePrivateDnsZoneId": "--DNSZonePrefix--privatelink.media.azure.net", + "azureCosmosTablePrivateDnsZoneId": "--DNSZonePrefix--privatelink.table.cosmos.azure.com", + "azureAutomationDSCHybridPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net", + "azureStorageStaticWebPrivateDnsZoneId": "--DNSZonePrefix--privatelink.web.core.windows.net", + "azureSignalRPrivateDnsZoneId": "--DNSZonePrefix--privatelink.service.signalr.net", + "azureMonitorPrivateDnsZoneId4": "--DNSZonePrefix--privatelink.agentsvc.azure-automation.net", + "azureAppServicesPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurewebsites.net", + "azureStorageQueueSecPrivateDnsZoneId": "--DNSZonePrefix--privatelink.queue.core.windows.net", "azureRedisCachePrivateDnsZoneId": "--DNSZonePrefix--privatelink.redis.cache.windows.net", - "azureAcrPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azurecr.io", - "azureEventHubNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net", - "azureMachineLearningWorkspacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.api.azureml.ms", - "azureServiceBusNamespacePrivateDnsZoneId": "--DNSZonePrefix--privatelink.servicebus.windows.net", - "azureCognitiveSearchPrivateDnsZoneId": "--DNSZonePrefix--privatelink.search.windows.net" + "azureStorageBlobPrivateDnsZoneId": "--DNSZonePrefix--privatelink.blob.core.windows.net", + "azureAutomationWebhookPrivateDnsZoneId": "--DNSZonePrefix--privatelink.azure-automation.net", + "azureDataFactoryPortalPrivateDnsZoneId": "--DNSZonePrefix--privatelink.adf.azure.com" }, "nonComplianceMessages": [ { @@ -143,6 +143,7 @@ "microsoft.network/expressroutegateways", "microsoft.network/expressrouteports", "microsoft.network/virtualwans", + "microsoft.network/virtualhubs", "microsoft.network/vpngateways", "microsoft.network/p2svpngateways", "microsoft.network/vpnsites", @@ -166,7 +167,12 @@ "policyName": "Audit-PrivateLinkDnsZones" }, "parameters": { + // Replace the ---location--- with the location of the Private Link Private DNS Zone resource "privateLinkDnsZones": [ + "privatelink.ae.backup.windowsazure.com", + "privatelink.---location---.azmk8s.io", + "privatelink.---location---.batch.azure.com", + "privatelink.---location---.kusto.windows.net", "privatelink.adf.azure.com", "privatelink.afs.azure.net", "privatelink.agentsvc.azure-automation.net", @@ -178,6 +184,7 @@ "privatelink.azurecr.io", "privatelink.azure-devices.net", "privatelink.azure-devices-provisioning.net", + "privatelink.azuredatabricks.net", "privatelink.azurehdinsight.net", "privatelink.azurehealthcareapis.com", "privatelink.azurestaticapps.net", diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc index 37a6d8d4..c6bc6659 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-LandingZones-Default.jsonc @@ -7,7 +7,16 @@ ] }, "parameters": { - "logAnalyticsWorkspaceId": "" // Replace with your central Log Analytics workspace ID + // The policies deployed at this scope deploy a managed identity - which is then used in the monitoring policies - you can use the same identity for the monitoring policies deployed at the platform level. + "logAnalyticsWorkspaceId": "", // Replace with your central Log Analytics workspace ID + "userAssignedManagedIdentityName": "", // Replace with the name of the user assigned managed identity to deploy + "userAssignedIdentityName": "", // Replace with the name of the user assigned managed identity to deploy + "bringYourOwnUserAssignedManagedIdentity": "true", + "enableProcessesAndDependencies": true, + "userAssignedManagedIdentityResourceGroup": "", //Replace with the name of the resource group where the user assigned managed identity is deployed + "identityResourceGroup": "", // Replace with the name of the resource group where the user assigned managed identity is to be deployed + "scopeToSupportedImages": false, + "builtInIdentityResourceGroupLocation": "australiaeast" }, "children": [ { @@ -292,6 +301,31 @@ } ] }, + { + "nodeName": "DefenderSQL", + "assignment": { + "name": "Deploy-MDFC-DefenSQL-AMA", + "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace." + }, + "definitionEntry": { + "policySetName": "Deploy-MDFC-DefenderSQL-AMA", + "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Microsoft Defender for SQL must be deployed." + } + ] + }, + "parameters": { + "dcrResourceGroup": "", // Resource group for the DCR + "dcrId": "", // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json + "userWorkspaceResourceId": "", //Log analytics workspace Id + "workspaceRegion": "", // Log analytics workspace region + "dcrName": "" // DCR Name + } + }, { "nodeName": "DenyMgmt", "assignment": { @@ -310,6 +344,273 @@ ] } ] + }, + { + "nodeName": "Updates", + "children": [ + { + "nodeName": "UpdateManager", + "assignment": { + "name": "Enable-AUM-CheckUpdates", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.", + "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode." + }, + "definitionEntry": { + "policySetName": "Deploy-AUM-CheckUpdates", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Periodic checking of missing updates must be enabled." + } + ] + }, + "parameters": { + "locations": [ + "asia", + "asiapacific", + "australia", + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazil", + "brazilsouth", + "brazilsoutheast", + "brazilus", + "canada", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "centralusstage", + "eastasia", + "eastasiastage", + "eastus", + "eastusstage", + "eastus2", + "eastus2stage", + "europe", + "france", + "francecentral", + "francesouth", + "germany", + "germanynorth", + "germanywestcentral", + "global", + "india", + "israelcentral", + "italynorth", + "japan", + "japaneast", + "japanwest", + "jioindiacentral", + "jioindiawest", + "korea", + "koreacentral", + "koreasouth", + "northcentralus", + "northcentralusstage", + "northeurope", + "norway", + "norwayeast", + "norwaywest", + "polandcentral", + "qatarcentral", + "singapore", + "southafrica", + "southafricanorth", + "southafricawest", + "southcentralus", + "southcentralusstage", + "southindia", + "southeastasia", + "southeastasiastage", + "sweden", + "swedencentral", + "switzerland", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "uae", + "uk", + "unitedstates", + "unitedstateseuap", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westusstage", + "westus2", + "westus2stage", + "westus3" + ] + } + } + ] + }, + { + "nodeName": "ManagedIdentity", + "children": [ + { + "nodeName": "UAMI", + "assignment": { + "name": "Deploy-UAMI-VMInsights", + "displayName": "Deploy User Assigned Managed Identity for VM Insights", + "description": "Deploy User Assigned Managed Identity for VM Insights" + }, + "definitionEntry": { + "policyName": "Deploy-UserAssignedManagedIdentity-VMInsights", + "displayName": "Deploy User Assigned Managed Identity for VM Insights", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "User Assigned Identity must be created for VM Insights." + } + ] + }, + "parameters": {} + } + ] + }, + { + "nodeName": "Monitoring", + "children": [ + { + "nodeName": "VM", + "assignment": { + "name": "Deploy-VM-Monitoring", + "displayName": "Enable Azure Monitor for VMs", + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", + "displayName": "Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Azure Monitor must be enabled for Virtual Machines." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json + } + }, + { + "nodeName": "VMSS", + "assignment": { + "name": "Deploy-VMSS-Monitoring", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", + "displayName": "Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Azure Monitor must be enabled for Virtual Machines Scales Sets." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json + } + }, + { + "nodeName": "Arc", + "assignment": { + "name": "Deploy-vmHybr-Monitoring", + "displayName": "Enable Azure Monitor for Hybrid Virtual Machines", + "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group)." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "displayName": "Enable Azure Monitor for Hybrid VMs with AMA", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Azure Monitor must be enabled for Hybrid Virtual Machines." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json + } + } + ] + }, + { + "nodeName": "ChangeTracking", + "children": [ + { + "nodeName": "VM", + "assignment": { + "name": "Deploy-VM-ChangeTrack", + "displayName": "Enable ChangeTracking and Inventory for virtual machines", + "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "displayName": "[Preview]: Enable ChangeTracking and Inventory for virtual machines", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Change Tracking must be enabled for Virtual Machines." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json + } + }, + { + "nodeName": "VMSS", + "assignment": { + "name": "Deploy-VMSS-ChangeTrack", + "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets", + "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc", + "displayName": "[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Change Tracking must be enabled for Virtual Machines Scales Sets." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json + } + }, + { + "nodeName": "Arc", + "assignment": { + "name": "Deploy-vmArc-ChangeTrack", + "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines", + "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1", + "displayName": "[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Change Tracking must be enabled for Arc-enabled Virtual Machines." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json + } + } + ] } ] } \ No newline at end of file diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Management-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Management-Default.jsonc new file mode 100644 index 00000000..43eacd7c --- /dev/null +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Management-Default.jsonc @@ -0,0 +1,37 @@ +{ + "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json", + "nodeName": "/Management/", + "scope": { + "tenant1": [ // Replace with your EPAC environment name and validate the management group listed below exists + "/providers/Microsoft.Management/managementGroups/management" + ] + }, + "parameters": { + "workspaceRegion": "", // Replace with your primary region + "automationRegion": "", // Replace with your primary region + "rgName": "alz-mgmt", // Replace with a unique resource group name + "automationAccountName": "alz-aauto", // Replace with an automation account name + "workspaceName": "alz-law" // Replace with a Log Analytics workspace name + }, + "children": [ + { + "nodeName": "Automation", + "enforcementMode": "DoNotEnforce", // This assignment is not enforced by default in case an automation account or Log Analytics workspace already exists + "assignment": { + "name": "Deploy-Log-Analytics", + "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring", + "description": "Deploy resource group containing Log Analytics workspace and linked automation account to centralize logs and monitoring. The automation account is aprerequisite for solutions like Updates and Change Tracking." + }, + "definitionEntry": { + "policyId": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "displayName": "Configure Log Analytics workspace and automation account to centralize logs and monitoring", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Log Analytics workspace and automation account should be configured to centralize logs and monitoring." + } + ] + } + } + ] +} \ No newline at end of file diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc index 26313ca4..a22777ad 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Platform-Default.jsonc @@ -6,6 +6,17 @@ "/providers/Microsoft.Management/managementGroups/platform" ] }, + // Ensure that this whole file is review for parameters and ensure DCRs, managed identities, and log anaytics workspace are deployed + // Sources for the DCRs which need to be deployed are in the individual assignment parameter comments + "parameters": { + "userAssignedManagedIdentityName": "", // Replace with the name of the user assigned managed identity + "userAssignedIdentityName": "", // Replace with the name of the user assigned managed identity + "bringYourOwnUserAssignedManagedIdentity": "true", + "enableProcessesAndDependencies": true, + "userAssignedManagedIdentityResourceGroup": "", //Replace with the name of the resource group where the user assigned managed identity is deployed + "identityResourceGroup": "", // Replace with the name of the resource group where the user assigned managed identity is deployed + "scopeToSupportedImages": false + }, "children": [ { "nodeName": "KeyVault/", @@ -28,6 +39,279 @@ ] } ] + }, + { + "nodeName": "Security", + "children": [ + { + "nodeName": "DefenderSQL", + "assignment": { + "name": "Deploy-MDFC-DefenSQL-AMA", + "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", + "description": "Microsoft Defender for SQL collects events from the agents and uses them to provide security alerts and tailored hardening tasks (recommendations). Creates a resource group and a Data Collection Rule in the same region as the user-defined Log Analytics workspace." + }, + "definitionEntry": { + "policySetName": "Deploy-MDFC-DefenderSQL-AMA", + "displayName": "Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Microsoft Defender for SQL must be deployed." + } + ] + }, + "parameters": { + "dcrResourceGroup": "", // Resource group for the DCR + "dcrId": "", // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json + "userWorkspaceResourceId": "", //Log analytics workspace Id + "workspaceRegion": "", // Log analytics workspace region + "dcrName": "" // DCR Name + } + } + ] + }, + { + "nodeName": "Monitoring", + "children": [ + { + "nodeName": "VM", + "assignment": { + "name": "Deploy-VM-Monitoring", + "displayName": "Enable Azure Monitor for VMs", + "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", + "displayName": "Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA)", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Azure Monitor must be enabled for Virtual Machines." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json + } + }, + { + "nodeName": "VMSS", + "assignment": { + "name": "Deploy-VMSS-Monitoring", + "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", + "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", + "displayName": "Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA)", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Azure Monitor must be enabled for Virtual Machines Scales Sets." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json + } + }, + { + "nodeName": "Arc", + "assignment": { + "name": "Deploy-vmHybr-Monitoring", + "displayName": "Enable Azure Monitor for Hybrid Virtual Machines", + "description": "Enable Azure Monitor for Hybrid Virtual Machines in the specified scope (Management group, Subscription or resource group)." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "displayName": "Enable Azure Monitor for Hybrid VMs with AMA", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Azure Monitor must be enabled for Hybrid Virtual Machines." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-VmInsights.json + } + } + ] + }, + { + "nodeName": "ChangeTracking", + "children": [ + { + "nodeName": "VM", + "assignment": { + "name": "Deploy-VM-ChangeTrack", + "displayName": "Enable ChangeTracking and Inventory for virtual machines", + "description": "Enable ChangeTracking and Inventory for virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "displayName": "[Preview]: Enable ChangeTracking and Inventory for virtual machines", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Change Tracking must be enabled for Virtual Machines." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json + } + }, + { + "nodeName": "VMSS", + "assignment": { + "name": "Deploy-VMSS-ChangeTrack", + "displayName": "Enable ChangeTracking and Inventory for virtual machine scale sets", + "description": "Enable ChangeTracking and Inventory for virtual machine scale sets. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations and user-assigned identity for Azure Monitor Agent." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc", + "displayName": "[Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Change Tracking must be enabled for Virtual Machines Scales Sets." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json + } + }, + { + "nodeName": "Arc", + "assignment": { + "name": "Deploy-vmArc-ChangeTrack", + "displayName": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines", + "description": "Enable ChangeTracking and Inventory for Arc-enabled virtual machines. Takes Data Collection Rule ID as parameter and asks for an option to input applicable locations." + }, + "definitionEntry": { + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1", + "displayName": "[Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Change Tracking must be enabled for Arc-enabled Virtual Machines." + } + ] + }, + "parameters": { + "dcrResourceId": "" // Resource Id for the deployed DCR - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule-CT.json + } + } + ] + }, + { + "nodeName": "Updates", + "children": [ + { + "nodeName": "UpdateManager", + "assignment": { + "name": "Enable-AUM-CheckUpdates", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines.", + "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode." + }, + "definitionEntry": { + "policySetName": "Deploy-AUM-CheckUpdates", + "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines", + "nonComplianceMessages": [ + { + "policyDefinitionReferenceId": null, + "message": "Periodic checking of missing updates must be enabled." + } + ] + }, + "parameters": { + "locations": [ + "asia", + "asiapacific", + "australia", + "australiacentral", + "australiacentral2", + "australiaeast", + "australiasoutheast", + "brazil", + "brazilsouth", + "brazilsoutheast", + "brazilus", + "canada", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "centralusstage", + "eastasia", + "eastasiastage", + "eastus", + "eastusstage", + "eastus2", + "eastus2stage", + "europe", + "france", + "francecentral", + "francesouth", + "germany", + "germanynorth", + "germanywestcentral", + "global", + "india", + "israelcentral", + "italynorth", + "japan", + "japaneast", + "japanwest", + "jioindiacentral", + "jioindiawest", + "korea", + "koreacentral", + "koreasouth", + "northcentralus", + "northcentralusstage", + "northeurope", + "norway", + "norwayeast", + "norwaywest", + "polandcentral", + "qatarcentral", + "singapore", + "southafrica", + "southafricanorth", + "southafricawest", + "southcentralus", + "southcentralusstage", + "southindia", + "southeastasia", + "southeastasiastage", + "sweden", + "swedencentral", + "switzerland", + "switzerlandnorth", + "switzerlandwest", + "uaecentral", + "uaenorth", + "uksouth", + "ukwest", + "uae", + "uk", + "unitedstates", + "unitedstateseuap", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westusstage", + "westus2", + "westus2stage", + "westus3" + ] + } + } + ] } ] } \ No newline at end of file diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc index d9008549..37dafb54 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Root-Default.jsonc @@ -11,8 +11,7 @@ "logAnalytics_1": "", // Replace with your central Log Analytics workspace ID "emailSecurityContact": "", // Security contact email address for Microsoft Defender for Cloud "ascExportResourceGroupName": "mdfc-export", // Resource group to export Microsoft Defender for Cloud data to - "ascExportResourceGroupLocation": "", // Location of the resource group to export Microsoft Defender for Cloud data to - "dcrResourceId": "" // Resource Id for the DCR for Azure Monitor - see https://github.com/Azure/Enterprise-Scale/blob/main/eslzArm/resourceGroupTemplates/dataCollectionRule.json + "ascExportResourceGroupLocation": "" // Location of the resource group to export Microsoft Defender for Cloud data to }, "children": [ { @@ -26,7 +25,7 @@ "description": "Microsoft Cloud Security Benchmark policy initiative" }, "definitionEntry": { - "policySetName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "displayName": "Microsoft Cloud Security Benchmark" }, "parameters": {}, @@ -48,20 +47,20 @@ "displayName": "Microsoft Defender For Cloud" }, "parameters": { - "enableAscForServers": "DeployIfNotExists", // Adjust parameter values to control Microsoft Defender for Cloud configuration DeployIfNotExists/DeployIfNotExists - "enableAscForSql": "DeployIfNotExists", - "enableAscForAppServices": "DeployIfNotExists", - "enableAscForStorage": "DeployIfNotExists", - "enableAscForContainers": "DeployIfNotExists", - "enableAscForKeyVault": "DeployIfNotExists", - "enableAscForSqlOnVm": "DeployIfNotExists", - "enableAscForArm": "DeployIfNotExists", - "enableAscForDns": "DeployIfNotExists", - "enableAscForOssDb": "DeployIfNotExists", - "enableAscForCosmosDbs": "DeployIfNotExists", - "enableAscForServersVulnerabilityAssessments": "DeployIfNotExists", - "enableAscForApis": "DeployIfNotExists", - "enableAscForCspm": "DeployIfNotExists", + "enableAscForServers": "Disabled", // Adjust parameter values to control Microsoft Defender for Cloud configuration Disabled/Disabled + "enableAscForSql": "Disabled", + "enableAscForAppServices": "Disabled", + "enableAscForStorage": "Disabled", + "enableAscForContainers": "Disabled", + "enableAscForKeyVault": "Disabled", + "enableAscForSqlOnVm": "Disabled", + "enableAscForArm": "Disabled", + "enableAscForDns": "Disabled", + "enableAscForOssDb": "Disabled", + "enableAscForCosmosDbs": "Disabled", + "enableAscForServersVulnerabilityAssessments": "Disabled", + "enableAscForApis": "Disabled", + "enableAscForCspm": "Disabled", "vulnerabilityAssessmentProvider": "mdeTvm" }, "nonComplianceMessages": [ @@ -78,7 +77,7 @@ "description": "Deploy Microsoft Defender for Endpoint agent on applicable images." }, "definitionEntry": { - "policySetName": "e20d08c5-6d64-656d-6465-ce9e37fd0ebc", + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc", "displayName": "Microsoft Defender for Endpoint agent" }, "parameters": { @@ -101,7 +100,7 @@ "description": "Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu." }, "definitionEntry": { - "policySetName": "e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", "displayName": "Microsoft Defender for Endpoint open-source relational databases" }, "nonComplianceMessages": [ @@ -118,7 +117,7 @@ "description": "Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases." }, "definitionEntry": { - "policySetName": "9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", + "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", "displayName": "Microsoft Defender for SQL Servers and SQL Managed Instances" }, "nonComplianceMessages": [ @@ -157,7 +156,7 @@ "description": "Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events" }, "definitionEntry": { - "policyName": "2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "policyId": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", "displayName": "Activity Logs" }, "parameters": {}, @@ -190,46 +189,6 @@ { "nodeName": "Compute/", "children": [ - { - "nodeName": "VMMonitoring", - "assignment": { - "name": "Deploy-VM-Monitoring", - "displayName": "Enable Azure Monitor for VMs", - "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter." - }, - "definitionEntry": { - "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", - "displayName": "VM Monitoring" - }, - "parameters": { - "bringYourOwnUserAssignedManagedIdentity": false - }, - "nonComplianceMessages": [ - { - "message": "Azure Monitor must be enabled for Virtual Machines." - } - ] - }, - { - "nodeName": "VMSSMonitoring", - "assignment": { - "name": "Deploy-VMSS-Monitoring", - "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", - "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances." - }, - "definitionEntry": { - "policySetId": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", - "displayName": "VMSS Monitoring" - }, - "parameters": { - "bringYourOwnUserAssignedManagedIdentity": false - }, - "nonComplianceMessages": [ - { - "message": "Azure Monitor must be enabled for Virtual Machine Scale Sets." - } - ] - }, { "nodeName": "DenyUnmanagedDisk", "assignment": { @@ -238,7 +197,7 @@ "description": "Deny virtual machines that do not use managed disk. It checks the managed disk property on virtual machine OS Disk fields." }, "definitionEntry": { - "policyName": "06a78e20-9358-41c9-923c-fb736d382a4d", + "policyId": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", "displayName": "Unmanaged Disks" }, "nonComplianceMessages": [ diff --git a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Sandbox-Default.jsonc b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Sandbox-Default.jsonc index a1233f5b..dbe5e708 100644 --- a/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Sandbox-Default.jsonc +++ b/Scripts/CloudAdoptionFramework/policyAssignments/ALZ-Sandbox-Default.jsonc @@ -19,15 +19,18 @@ }, "parameters": { "listOfResourceTypesNotAllowed": [ - "microsoft.network/expressroutecircuits", - "microsoft.network/expressroutegateways", - "microsoft.network/expressrouteports", - "microsoft.network/virtualwans", - "microsoft.network/virtualhubs", - "microsoft.network/vpngateways", - "microsoft.network/p2svpngateways", - "microsoft.network/vpnsites", - "microsoft.network/virtualnetworkgateways" + "microsoft.consumption/tags", + "microsoft.authorization/roleassignments", + "microsoft.authorization/roledefinitions", + "microsoft.authorization/policyassignments", + "microsoft.authorization/locks", + "microsoft.authorization/policydefinitions", + "microsoft.authorization/policysetdefinitions", + "microsoft.resources/tags", + "microsoft.authorization/roleeligibilityschedules", + "microsoft.authorization/roleeligibilityscheduleinstances", + "microsoft.authorization/roleassignmentschedules", + "microsoft.authorization/roleassignmentscheduleinstances" ] }, "nonComplianceMessages": [