Modifying Policy Assignments
To modify a ALZ provided policy assignment (reside in templates/core/governance/lib/alz), you will need to update the parPolicyAssignmentParameterOverrides object in the appropriate management group’s .bicepparam file under templates/core/governance/mgmt-groups/.
Policy assignments are loaded from JSON files in the lib/alz directory, and you can override specific parameters without modifying the JSON files directly.
Each management group’s .bicepparam file contains a parPolicyAssignmentParameterOverrides object where you can specify changes to policy assignments.
Example from int-root/main.bicepparam:
param parPolicyAssignmentParameterOverrides = {
'Deploy-MDFC-Config-H224': {
parameters: {
logAnalytics: {
value: '/subscriptions/.../workspaces/law-alz-eastus'
}
emailSecurityContact: {
value: 'security@yourcompany.com'
}
}
}
}
To change the Enforcement mode of a policy assignment to DoNoteEnforce, but still assign the policy, add it to the managementGroupDoNotEnforcePolicyAssignments array:
platform/main.bicepparam:
param platformConfig = {
// ... other config
managementGroupDoNotEnforcePolicyAssignments: [
'Enable-DDoS-VNET' // This policy will be set to DoNotEnforce mode
]
}
Alternatively, you can exclude a policy assignment entirely from the deployment using managementGroupExcludedPolicyAssignments:
param platformConfig = {
// ... other config
managementGroupExcludedPolicyAssignments: [
'Enable-DDoS-VNET' // This policy will not be deployed at all
]
}
To modify policy parameters, add an override entry in parPolicyAssignmentParameterOverrides:
landingzones/main.bicepparam:
param parPolicyAssignmentParameterOverrides = {
'Deny-PublicPaaSEndpoints': {
parameters: {
effect: {
value: 'Audit' // Changed from default 'Deny' to 'Audit'
}
}
}
}
You can override multiple parameters in a single policy assignment:
param parPolicyAssignmentParameterOverrides = {
'Deploy-VM-Monitoring': {
parameters: {
logAnalytics: {
value: '/subscriptions/.../workspaces/law-alz-eastus'
}
dcrResourceId: {
value: '/subscriptions/.../dataCollectionRules/dcr-vmi-alz-eastus'
}
}
}
}
You can add completely custom policy assignments using the customerPolicyAssignments array:
landingzones/main.bicepparam:
param landingzonesConfig = {
// ... other config
customerPolicyAssignments: [
{
name: 'Custom-Tag-Policy'
location: 'eastus'
properties: {
displayName: 'Require specific tags on resources'
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/1e30110a-5ceb-460c-a204-c1c3969c6d62'
scope: '/providers/Microsoft.Management/managementGroups/landingzones'
enforcementMode: 'Default'
parameters: {
tagName: {
value: 'Environment'
}
}
nonComplianceMessages: [
{
message: 'All resources must have an Environment tag.'
}
]
}
}
{
'loadJsonContent('../../lib/alz/CustomNaming.alz_policy_assignment.json'')'
}
]
}
You can override the deployment location for a specific policy assignment:
param parPolicyAssignmentParameterOverrides = {
'Deploy-MDFC-Config-H224': {
location: 'westus2' // Override the default location
parameters: {
// ... parameter overrides
}
}
}
To change the scope of a policy assignment:
param parPolicyAssignmentParameterOverrides = {
'Custom-Policy': {
scope: '/subscriptions/<subscription-id>' // Assign to a specific subscription
parameters: {
// ... parameter overrides
}
}
}
If you don’t have a DDoS protection plan, disable the Enable-DDoS-VNET policy assignment at the platform management group:
platform/main.bicepparam:
param platformConfig = {
// ... other config
managementGroupExcludedPolicyAssignments: [
'Enable-DDoS-VNET'
]
}
Or set it to DoNotEnforce mode:
param platformConfig = {
// ... other config
managementGroupDoNotEnforcePolicyAssignments: [
'Enable-DDoS-VNET'
]
}
If you plan to keep the policy enabled, make sure you provide the DDoS protection plan resource ID via the Enable-DDoS-VNET override:
param parPolicyAssignmentParameterOverrides = {
'Enable-DDoS-VNET': {
parameters: {
ddosProtectionPlanId: {
value: '/subscriptions/<subscription-id>/resourceGroups/<rg-name>/providers/Microsoft.Network/ddosProtectionPlans/<plan-name>'
}
}
}
}
If you don’t use private endpoints, disable the Deploy-Private-DNS-Zones policy assignment at the landingzones-corp management group:
landingzones/landingzones-corp/main.bicepparam:
param landingzonesCorpConfig = {
// ... other config
managementGroupExcludedPolicyAssignments: [
'Deploy-Private-DNS-Zones'
]
}
When you keep this policy enabled, provide the resource group that hosts your private DNS zones:
param parPolicyAssignmentParameterOverrides = {
'Deploy-Private-DNS-Zones': {
parameters: {
privateDnsZoneResourceGroupId: {
value: '/subscriptions/<subscription-id>/resourceGroups/<rg-name>'
}
}
}
}
If you use a third-party monitoring solution, disable these policy assignments in the landingzones management group:
landingzones/main.bicepparam:
param landingzonesConfig = {
// ... other config
managementGroupExcludedPolicyAssignments: [
'Deploy-VM-Monitoring'
'Deploy-VMSS-Monitoring'
'Deploy-VM-ChangeTrack'
'Deploy-VMSS-ChangeTrack'
'Deploy-MDFC-DefSQL-AMA'
]
}
If you keep these assignments active, make sure the required Log Analytics workspace and Data Collection Rules are available, and override parameters such as logAnalytics or dcrResourceId as needed in parPolicyAssignmentParameterOverrides.
- Use Parameter Overrides: Keep your customizations in the
parPolicyAssignmentParameterOverridesobject rather than modifying JSON files - Document Changes: Add comments in your
.bicepparamfiles explaining why policy assignments are disabled or modified - Test Thoroughly: Test policy changes in a non-production environment before applying to production
- Review Compliance: Regularly review policy compliance reports to ensure policies are working as expected
- Understand Policy Lifecycle: Deploy management groups in order (parent before children) to ensure policies apply correctly