Policy Assignments
As part of a default deployment configuration, policy and policy set definitions are deployed at multiple levels within the Azure landing zone Management Group hierarchy as depicted within the below diagram.
ImportantAs part of the ALZ portal deployment/configuration, policy and policy set definitions are created only at the intermediate management group, e.g.contosothat is a child of the tenant root management group, created during the ALZ deployment. Our automation does not assign any policies to the tenant root management group scope, only the ALZ hierarchy it deploys and its children, e.g.contosoand below. This approach aligns with the Cloud Adoption Framework’s best practices for Azure Policy assignment, ensuring clear delineation of policy application and avoiding unintended policy inheritance across the entire tenant. By placing policies only at the intermediary root and its child management groups, we maintain compliance, flexibility, and alignment with organizational governance requirements. And also allow multiple management groups hierarchies to exist in a single tenant such as the canary approach
TipFor convenience, an Excel version of the below information is available here.
NoteThe below table is scrollable. On smaller screens, please scroll horizontally to view all columns.
| Assignment Scope (MG) | Assignment Name | Definition Name | Type | Custom/Builtin | Description | Effect | GitHub Assignment File | AzAdvertizer Link | Release | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| Intermediate Root | Deploy Microsoft Defender for Cloud configuration | Deploy Microsoft Defender for Cloud configuration | Initiative | Custom | Configures all the MDFC settings, such as Microsoft Defender for Cloud per individual service, security contacts, and export from MDFC to Log Analytics workspace | DeployIfNotExists | DINE-MDFCConfigPolicyAssignment.json | Deploy Microsoft Defender for Cloud configuration (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Deploy-MDEndpoints | [Preview]: Deploy Microsoft Defender for Endpoint agent | Initiative | Built-in | Deploy Microsoft Defender for Endpoint agent on applicable images. | DeployIfNotExists | DINE-MDEndpointsPolicyAssignment.json | [Preview]: Deploy Microsoft Defender for Endpoint agent (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Deploy-MDEndpointsAMA | Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud | Initiative | Built-in | Configure the multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud (WDATP, WDATP_EXCLUDE_LINUX_PUBLIC_PREVIEW, WDATP_UNIFIED_SOLUTION etc.). See: https://learn.microsoft.com/azure/defender-for-cloud/integration-defender-for-endpoint for more information. | DeployIfNotExists | DINE-MDEndpointsAMAPolicyAssignment.json | Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud - 77b391e3-2d5d-40c3-83bf-65c846b3c6a3 (azadvertizer.net) | 2024-05-15 | |
| Intermediate Root | Deploy-Diag-Logs | Enable allLogs category group resource logging for supported resources to Log Analytics | Initiative | Built-in | Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This initiative deploys diagnostic setting using the allLogs category group to route logs to Log Analytics Workspace for all supported resources | DeployIfNotExists | DINE-ResourceDiagnosticsPolicyAssignment.json | Enable allLogs category group resource logging for supported resources to Log Analytics - 0884adba-2312-4468-abeb-5422caed1038 (azadvertizer.net) | 2024-05-15 | |
| Intermediate Root | Microsoft Cloud Security Benchmark | Azure Security Benchmark | Initiative | Built-in | The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. | Audit, AuditIfNotExists, Disabled | DINE-ASBPolicyAssignment.json | Azure Security Benchmark (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Microsoft Cloud Security Benchmark v2 | [Preview]: Microsoft cloud security benchmark v2 | Initiative | Built-in | The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud. | Audit, AuditIfNotExists, Disabled | DINE-ASB2PolicyAssignment.json | https://www.azadvertizer.net/azpolicyinitiativesadvertizer/e3ec7e09-768c-4b64-882c-fcada3772047.html | 2025-12-01 | |
| Intermediate Root | Configure Advanced Threat Protection to be enabled on open-source relational databases | Configure Advanced Threat Protection to be enabled on open-source relational databases | Initiative | Built-in | Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu. | DeployIfNotExists | DINE-AtpOssDbPolicyAssignment.json | Configure Advanced Threat Protection to be enabled on open-source relational databases (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances | Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances | Initiative | Built-in | Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists | DINE-AtpSqlDbPolicyAssignment.json | Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Deploy Diagnostic Settings for Activity Log to Log Analytics workspace | Configure Azure Activity logs to stream to specified Log Analytics workspace | Policy | Built-in | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events | DeployIfNotExists | DINE-ActivityLogPolicyAssignment.json | Configure Azure Activity logs to stream to specified Log Analytics workspace (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Deny the deployment of classic resources | Deny the deployment of classic resources | Policy | Custom | Denies deployment of classic resource types under the assigned scope. | Deny | DENY-ClassicResourceTypesPolicyAssignment.json | Not allowed resource types (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Enforce Azure Compute Security Baseline compliance auditing | Enforce Azure Compute Security Baseline compliance auditing | Initiative | Custom | This initiative assignment enables Azure Compute Security Baseline compliance auditing for Windows and Linux virtual machines. | AuditIfNotExists | ENFORCE-AcsbPolicyAssignment.json | Enforce Azure Compute Security Benchmark compliance auditing (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Deny virtual machines and virtual machine scale sets that do not use managed disk | Deny virtual machines and virtual machine scale sets not using OS Managed Disk | Policy | Custom | Deny virtual machines not using managed disk. It checks the managedDisk property on virtual machine OS Disk fields. | Deny | DENY-VMUnmanagedDiskPolicyAssignment.json | Audit VMs that do not use managed disks (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Unused resources driving cost should be avoided | Unused resources driving cost should be avoided | Initiative | Custom | This Policy initiative is a group of Policy definitions that help optimize cost by detecting unused but chargeable resources. Leverage this Policy initiative as a cost control to reveal orphaned resources that are driving cost. | Audit | AUDIT-UnusedResourcesPolicyAssignment.json | Unused resources driving cost should be avoided (azadvertizer.net) | 2023-04-02 | |
| Intermediate Root | Deploy Azure Monitor Baseline Alerts for Service Health | Deploy Azure Monitor Baseline Alerts for Service Health | Initiative | Custom | Initiative to deploy AMBA Service Health alerts to Azure services | DeployIfNotExists | DINE-ServiceHealthAssignment.json | Deploy Azure Monitor Baseline Alerts for Service Health - Alerting-ServiceHealth (azadvertizer.net) | 2023-09-11 | |
| Intermediate Root | Resources should be Zone Resilient | Resources should be Zone Resilient | Initiative | Built-in | Some resource types can be deployed Zone Redundant (e.g. SQL Databases); some can be deploy Zone Aligned (e.g. Virtual Machines); and some can be deployed either Zone Aligned or Zone Redundant (e.g. Virtual Machine Scale Sets). Being zone aligned does not guarantee resilience, but it is the foundation on which a resilient solution can be built (e.g. three Virtual Machine Scale Sets zone aligned to three different zones in the same region with a load balancer). See https://aka.ms/AZResilience for more info. | Audit | AUDIT-ZoneResilientPolicyAssignment.json | [Preview]: Resources should be Zone Resilient - 130fb88f-0fc9-4678-bfe1-31022d71c7d5 (azadvertizer.net) | 2023-12-06 | |
| Intermediate Root | Audit-TrustedLaunch | Audit-TrustedLaunch | Initiative | Custom | Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch. | Audit | AUDIT-TrustedLauchPolicyAssignment.json | Audit-TrustedLaunch | 2024-05-15 | |
| Intermediate Root | Configure subscriptions to enable service health alert monitoring rule | [Preview]: Configure subscriptions to enable service health alert monitoring rule | Policy | Built-in | Assignable at the subscription or management group level, this policy ensures that each subscription has a service health alert rule configured with alert conditions and mapping to action groups as specified in the policy parameters. By default creates a resource group, alert rule and action group configured to send emails to subscription owners for all service health events. | DeployIfNotExists | DINE-ServiceHealthBuiltInPolicyAssignment.json | [Preview]: Configure subscriptions to enable service health alert monitoring rule | FY25H2 | |
| Platform | Enforce recommended guardrails for Azure Key Vault | Enforce recommended guardrails for Azure Key Vault | Initiative | Custom | This initiative assignment enables recommended ALZ guardrails for Azure Key Vault. | Deny, Audit | ENFORCE-GuardrailsKeyVaultPolicyAssignment.json | Enforce recommended guardrails for Azure Key Vault (azadvertizer.net) | 2023-07-17 | Updated 260203 |
| Platform | Enforce enhanced recovery and backup policies | Enforce enhanced recovery and backup policies | Initiative | Custom | This initiative assignment enables recommended audit policies for Azure Backup and Site Recovery. | Audit | Enforce-BackupPolicyAssignment.json | Enforce-Backup | 2024-03-12 | |
| Platform | Subnets should be private | Subnets should be private | Policy | Built-in | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny | ENFORCE-SubnetPrivatePolicyAssignment.json | Subnets should be private - 7bca8353-aa3b-429b-904a-9229c4385837 (azadvertizer.net) | 2024-08-15 | |
| Platform/Connectivity | Virtual networks should be protected by Azure DDoS Protection Standard | Virtual networks should be protected by Azure DDoS Protection Standard | Policy | Built-in | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs. | Modify | MODIFY-DDoSPolicyAssignment.json | Virtual networks should be protected by Azure DDoS Protection Standard (azadvertizer.net) | 2023-04-02 | |
| Platform/Connectivity | Deploy Azure Monitor Baseline Alerts for Connectivity | Deploy Azure Monitor Baseline Alerts for Connectivity | Initiative | Custom | Initiative to deploy AMBA alerts relevant to the ALZ Connectivity management group | DeployIfNotExists | DINE-ConnectivityAssignment.json | Deploy Azure Monitor Baseline Alerts for Connectivity - Alerting-Connectivity (azadvertizer.net) | 2023-09-11 | |
| Platform/Management | Deploy Azure Monitor Baseline Alerts for Management | Deploy Azure Monitor Baseline Alerts for Management | Initiative | Custom | Initiative to deploy AMBA alerts relevant to the ALZ Management management group | DeployIfNotExists | DINE-ManagementAssignment.json | Deploy Azure Monitor Baseline Alerts for Management - Alerting-Management (azadvertizer.net) | 2023-09-18 | |
| Platform/Identity | Deny the creation of public IP | Deny the creation of public IP | Policy | Custom | This policy denies creation of Public IPs under the assigned scope. | Deny | DENY-PublicIpAddressPolicyAssignment.json | Deny the creation of public IP (azadvertizer.net) | 2023-04-02 | |
| Platform/Identity | Management port access from the Internet should be blocked | Management port access from the Internet should be blocked | Policy | Custom | This policy denies any network security rule that allows management port access from the Internet | Deny | DENY-MgmtPortsFromInternetPolicyAssignment.json | Management port access from the Internet should be blocked (azadvertizer.net) | 2023-04-02 | |
| Platform/Identity | Subnets should have a Network Security Group | Subnets should have a Network Security Group | Policy | Custom | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | DENY-SubnetWithoutNsgPolicyAssignment.json | Subnets should have a Network Security Group (azadvertizer.net) | 2023-04-02 | |
| Platform/Identity | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Policy | Built-in | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. | DeployIfNotExists | DINE-VMBackupPolicyAssignment.json | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy (azadvertizer.net) | 2023-04-02 | |
| Platform/Identity | Deploy Azure Monitor Baseline Alerts for Identity | Deploy Azure Monitor Baseline Alerts for Identity | Initiative | Custom | Initiative to deploy AMBA alerts relevant to the ALZ Identity management group | DeployIfNotExists | DINE-IdentityAssignment.json | Deploy Azure Monitor Baseline Alerts for Identity - Alerting-Identity (azadvertizer.net) | 2023-09-11 | |
| Landing Zones | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit | Initiative | Custom | TBC | Audit, AuditIfNotExists, DeployIfNotExists, Deny | DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json | Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net) | 2025-01-28 | |
| Landing Zones | Management port access from the Internet should be blocked | Management port access from the Internet should be blocked | Policy | Custom | This policy denies any network security rule that allows management port access from the Internet | Deny | DENY-MgmtPortsFromInternetPolicyAssignment.json | Management port access from the Internet should be blocked (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Subnets should have a Network Security Group | Subnets should have a Network Security Group | Policy | Custom | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny | DENY-SubnetWithoutNsgPolicyAssignment.json | Subnets should have a Network Security Group (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Network interfaces should disable IP forwarding | Network interfaces should disable IP forwarding | Policy | Built-in | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. | Deny | DENY-IPForwardingPolicyAssignment.json | Network interfaces should disable IP forwarding (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Secure transfer to storage accounts should be enabled | Secure transfer to storage accounts should be enabled | Policy | Built-in | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Deny | DENY-StorageWithoutHttpsPolicyAssignment.json | Secure transfer to storage accounts should be enabled (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters | Policy | Built-in | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. | DeployIfNotExists | DINE-AksPolicyPolicyAssignment.json | Deploy Azure Policy Add-on to Azure Kubernetes Service clusters (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Configure SQL servers to have auditing enabled to Log Analytics workspace | Configure SQL servers to have auditing enabled to Log Analytics workspace | Policy | Built-in | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | DeployIfNotExists | DINE-SQLAuditingPolicyAssignment.json | Configure SQL servers to have auditing enabled to Log Analytics workspace - 25da7dfb-0666-4a15-a8f5-402127efd8bb (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Deploy Threat Detection on SQL servers | Configure Azure Defender to be enabled on SQL servers | Policy | Built-in | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists | DINE-SQLThreatPolicyAssignment.json | Configure Azure Defender to be enabled on SQL servers (azadvertizer.net) | 2023-06-07 | |
| Landing Zones | Deploy TDE on SQL servers | Deploy TDE on SQL servers | Policy | Built-in | This policy ensures that Transparent Data Encryption is enabled on SQL Servers. | DeployIfNotExists | DINE-SQLEncryptionPolicyAssignment.json | Deploy SQL DB transparent data encryption (azadvertizer.net) | 2023-06-07 | |
| Landing Zones | Virtual networks should be protected by Azure DDoS Protection Standard | Virtual networks should be protected by Azure DDoS Protection Standard | Policy | Built-in | Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. | Modify | MODIFY-DDoSPolicyAssignment.json | Virtual networks should be protected by Azure DDoS Protection Standard (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Kubernetes cluster should not allow privileged containers | Kubernetes cluster should not allow privileged containers | Policy | Built-in | Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | DENY-AksPrivilegedPolicyAssignment.json | Kubernetes cluster should not allow privileged containers (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Kubernetes clusters should not allow container privilege escalation | Kubernetes clusters should not allow container privilege escalation | Policy | Built-in | Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | DENY-AksPrivEscalationPolicyAssignment.json | Kubernetes clusters should not allow container privilege escalation (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Kubernetes clusters should be accessible only over HTTPS | Kubernetes clusters should be accessible only over HTTPS | Policy | Built-in | Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. | Deny | DENY-AksWithoutHttpsPolicyAssignment.json | Kubernetes clusters should be accessible only over HTTPS (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Enforce recommended guardrails for Azure Key Vault | Enforce recommended guardrails for Azure Key Vault | Initiative | Custom | This initiative assignment enables recommended ALZ guardrails for Azure Key Vault. | Deny, Audit | ENFORCE-GuardrailsKeyVaultPolicyAssignment.json | Enforce recommended guardrails for Azure Key Vault (azadvertizer.net) | 2023-04-02 | Updated 260203 |
| Landing Zones | Enforce enhanced recovery and backup policies | Enforce enhanced recovery and backup policies | Initiative | Custom | This initiative assignment enables recommended audit policies for Azure Backup and Site Recovery. | Audit | Enforce-BackupPolicyAssignment.json | Enforce-Backup | 2024-03-12 | |
| Landing Zones | Web Application Firewall (WAF) should be enabled for Application Gateway | Web Application Firewall (WAF) should be enabled for Application Gateway | Policy | Built-in | Assign the WAF should be enabled for Application Gateway audit policy. | Audit | AUDIT-AppGwWafPolicyAssignment.json | Web Application Firewall (WAF) should be enabled for Application Gateway (azadvertizer.net) | 2023-09-11 | |
| Landing Zones | Deploy Azure Monitor Baseline Alerts for Landing Zone | Deploy Azure Monitor Baseline Alerts for Landing Zone | Initiative | Custom | Initiative to deploy AMBA alerts relevant to the ALZ LandingZone management group | DeployIfNotExists | DINE-LandingZoneAssignment.json | Deploy Azure Monitor Baseline Alerts for Landing Zone - Alerting-LandingZone (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy | Policy | Built-in | Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag. | DeployIfNotExists | DINE-VMBackupPolicyAssignment.json | Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy - 98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86 (azadvertizer.net) | 2023-04-02 | |
| Landing Zones | Subnets should be private | Subnets should be private | Policy | Built-in | Ensure your subnets are secure by default by preventing default outbound access. For more information go to https://aka.ms/defaultoutboundaccessretirement | Audit, Deny | ENFORCE-SubnetPrivatePolicyAssignment.json | Subnets should be private - 7bca8353-aa3b-429b-904a-9229c4385837 (azadvertizer.net) | 2024-08-15 | |
| Landing Zones/Corp | Public network access should be disabled for PaaS services | Public network access should be disabled for PaaS services | Initiative | Custom | This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints | Deny | DENY-PublicEndpointPolicyAssignment.json | Public network access should be disabled for PaaS services (azadvertizer.net) | 2023-04-02 | |
| Landing Zones/Corp | Configure Azure PaaS services to use private DNS zones | Configure Azure PaaS services to use private DNS zones | Initiative | Custom | This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones | DeployIfNotExists | DINE-PrivateDNSZonesPolicyAssignment.json | Configure Azure PaaS services to use private DNS zones (azadvertizer.net) | 2023-04-02 | |
| Landing Zones/Corp | Deny network interfaces having a public IP associated | Network interfaces should not have public Ips | Policy | Built-in | This policy denies network interfaces from having a public IP associated to it under the assigned scope. | Deny | DENY-PublicIpAddressOnNICPolicyAssignment.json | Network interfaces should not have public IPs (azadvertizer.net) | 2023-04-02 | |
| Landing Zones/Corp | Audit the creation of Private Link Private DNS Zones | Audit the creation of Private Link Private DNS Zones | Policy | Built-in | Audits the deployment of Private Link Private DNS Zone resources in the Corp landing zone. | Audit | AUDIT-PeDnsZonesPolicyAssignment.json | Audit the creation of Private Link Private DNS Zones (azadvertizer.net) | 2023-04-02 | |
| Landing Zones/Corp | Deny the deployment of vWAN/ER/VPN gateway resources | Deny the deployment of vWAN/ER/VPN gateway resources | Policy | Built-in | Denies deployment of vWAN/ER/VPN gateway resources in the Corp landing zone. | Deny | DENY-HybridNetworkingPolicyAssignment.json | Not allowed resource types (azadvertizer.net) | 2023-04-02 | |
| Landing Zones/Online | N/A | N/A | N/A | N/A | N/A | N/A | N/A | N/A | 2023-04-02 | |
| Decommissioned | Enforce ALZ Decommissioned Guardrails | Enforce ALZ Decommissioned Guardrails | Initiative | Custom | This initiative will help enforce and govern subscriptions that are placed within the decommissioned Management Group as part of your Subscription decommissioning process. See https://aka.ms/alz/policies for more information. | Deny, DeployIfNotExists | ENFORCE-ALZ-DecommissionedPolicyAssignment.json | Enforce policies in the Decommissioned Landing Zone (azadvertizer.net) | 2023-04-02 | |
| Sandbox | Enforce ALZ Sandbox Guardrails | Enforce ALZ Sandbox Guardrails | Initiative | Custom | This initiative will help enforce and govern subscriptions that are placed within the Sandbox Management Group. See https://aka.ms/alz/policies for more information. | Deny | ENFORCE-ALZ-SandboxPolicyAssignment.json | Enforce policies in the Sandbox Landing Zone (azadvertizer.net) | 2023-04-02 | |
| Platform | Enable Azure Monitor for VMs | Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) | Initiative | Built-in | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines (VMs) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists | DINE-VMMonitoringPolicyAssignment.json | Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) - 924bfe3a-762f-40e7-86dd-5c8b95eb09e6 (azadvertizer.net) | 2024-01-31 | |
| Platform | Enable Azure Monitor for Virtual Machine Scale Sets | Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) | Initiative | Built-in | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines scale sets (VMSS) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists | DINE-VMSSMonitoringPolicyAssignment.json | Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) - f5bf694c-cca7-4033-b883-3a23327d5485 (azadvertizer.net) | 2024-01-31 | |
| Platform | Enable Azure Monitor for Hybrid Virtual Machines | Enable Azure Monitor for Hybrid VMs with AMA | Initiative | Built-in | This policy initiative installs the Azure Monitoring Agent (AMA) on Arc-enabled servers (Hybrid) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists | DINE-VMHybridMonitoringPolicyAssignment.json | Enable Azure Monitor for Hybrid VMs with AMA - 2b00397d-c309-49c4-aa5a-f0b2c5bc6321 (azadvertizer.net) | 2024-01-31 | |
| Platform | Enable ChangeTracking and Inventory for virtual machines | [Preview]: Enable ChangeTracking and Inventory for virtual machines | Initiative | Built-in | This policy initiative enables ChangeTracking and Inventory for virtual machines. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists | DINE-ChangeTrackingVMPolicyAssignment.json | [Preview]: Enable ChangeTracking and Inventory for virtual machines - 92a36f05-ebc9-4bba-9128-b47ad2ea3354 (azadvertizer.net) | 2024-01-31 | |
| Platform | Enable ChangeTracking and Inventory for virtual machine scale sets | [Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets | Initiative | Built-in | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists | DINE-ChangeTrackingVMSSPolicyAssignment.json | [Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets - c4a70814-96be-461c-889f-2b27429120dc (azadvertizer.net) | 2024-01-31 | |
| Platform | Enable ChangeTracking and Inventory for Arc-enabled virtual machines | [Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines | Initiative | Built-in | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists | DINE-ChangeTrackingVMArcPolicyAssignment.json | [Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines - 53448c70-089b-4f52-8f38-89196d7f2de1 (azadvertizer.net) | 2024-01-31 | |
| Platform | Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers | Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace | Initiative | Built-in | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists | DINE-MDFCDefenderSQLAMAPolicyAssignment.json | Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace - de01d381-bae9-4670-8870-786f89f49e26 (azadvertizer.net) | 2024-01-31 | |
| Platform | Do not allow deletion of resource types | Do not allow deletion of resource types | Policy | Built-in | This policy enables you to specify the resource types that your organization can protect from accidentals deletion by blocking delete calls using deny action effect. Assigned to deny the deletion of the User Assignment Managed Identity that is used for AMA. | DenyAction | DENYACTION-ResourceDeletionPolicyAssignment.json | Do not allow deletion of resource types - 78460a36-508a-49a4-b2b2-2f5ec564f4bb (azadvertizer.net) | 2024-01-31 | |
| Platform | Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines | Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines | Initiative | Custom | With this policy initiative, you can enable automatic OS updates assessment every 24 hours. This is a custom initiative of built-in policies. | Modify | MODIFY-AUM-CheckUpdatesPolicyAssignment.json | Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines - Deploy-AUM-CheckUpdates (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Enable Azure Monitor for VMs | Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) | Initiative | Built-in | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines (VMs) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists | DINE-VMMonitoringPolicyAssignment.json | Enable Azure Monitor for VMs with Azure Monitoring Agent(AMA) - 924bfe3a-762f-40e7-86dd-5c8b95eb09e6 (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Enable Azure Monitor for Virtual Machine Scale Sets | Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) | Initiative | Built-in | This policy initiative installs the Azure Monitoring Agent (AMA) on the virtual machines scale sets (VMSS) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists | DINE-VMSSMonitoringPolicyAssignment.json | Enable Azure Monitor for VMSS with Azure Monitoring Agent(AMA) - f5bf694c-cca7-4033-b883-3a23327d5485 (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Enable Azure Monitor for Hybrid Virtual Machines | Enable Azure Monitor for Hybrid VMs with AMA | Initiative | Built-in | This policy initiative installs the Azure Monitoring Agent (AMA) on Arc-enabled servers (Hybrid) and enables Azure Monitor for them. Azure Monitor collects and analyzes data from the VMs, such as performance metrics, logs, and dependencies. | DeployIfNotExists | DINE-VMHybridMonitoringPolicyAssignment.json | Enable Azure Monitor for Hybrid VMs with AMA - 2b00397d-c309-49c4-aa5a-f0b2c5bc6321 (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Enable ChangeTracking and Inventory for virtual machines | [Preview]: Enable ChangeTracking and Inventory for virtual machines | Initiative | Built-in | This policy initiative enables ChangeTracking and Inventory for virtual machines. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists | DINE-ChangeTrackingVMPolicyAssignment.json | [Preview]: Enable ChangeTracking and Inventory for virtual machines - 92a36f05-ebc9-4bba-9128-b47ad2ea3354 (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Enable ChangeTracking and Inventory for virtual machine scale sets | [Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets | Initiative | Built-in | This policy initiative enables ChangeTracking and Inventory for virtual machines scale sets. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists | DINE-ChangeTrackingVMSSPolicyAssignment.json | [Preview]: Enable ChangeTracking and Inventory for virtual machine scale sets - c4a70814-96be-461c-889f-2b27429120dc (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Enable ChangeTracking and Inventory for Arc-enabled virtual machines | [Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines | Initiative | Built-in | This policy initiative enables ChangeTracking and Inventory for Arc-enabled servers. It uses a Data Collection Rule to define what data to collect and where to send it, and a user-assigned identity to authenticate the Azure Monitor Agent. | DeployIfNotExists | DINE-ChangeTrackingVMArcPolicyAssignment.json | [Preview]: Enable ChangeTracking and Inventory for Arc-enabled virtual machines - 53448c70-089b-4f52-8f38-89196d7f2de1 (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Enable Defender for SQL on SQL VMs and Arc-enabled SQL Servers | Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace | Initiative | Built-in | This policy initiative enables Microsoft Defender for SQL and AMA on SQL VMs and Arc-enabled SQL Servers. | DeployIfNotExists | DINE-MDFCDefenderSQLAMAPolicyAssignment.json | Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace - de01d381-bae9-4670-8870-786f89f49e26 (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines | Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines | Initiative | Custom | With this policy initiative, you can enable automatic OS updates assessment every 24 hours. This is a custom initiative of built-in policies. | Modify | MODIFY-AUM-CheckUpdatesPolicyAssignment.json | Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines - Deploy-AUM-CheckUpdates (azadvertizer.net) | 2024-01-31 | |
| Landing Zones | Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs | [Preview]: Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs | Initiative | Built-in | With this policy initiative, you can enable Guest Attestation on Trusted Launch enabled VMs. | DeployIfNotExists, Modify | DINE-TrustedLaunchGuestAttestationAssignment.json | [Preview]: Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs - 281d9e47-d14d-4f05-b8eb-18f2c4a034ff | 2025-05-07 | |
| Platform | Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs | [Preview]: Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs | Initiative | Built-in | With this policy initiative, you can enable Guest Attestation on Trusted Launch enabled VMs. | DeployIfNotExists, Modify | DINE-TrustedLaunchGuestAttestationAssignment.json | [Preview]: Configure prerequisites to enable Guest Attestation on Trusted Launch enabled VMs - 281d9e47-d14d-4f05-b8eb-18f2c4a034ff | 2025-05-08 |
NoteBe sure to also review the Extra Policies and Information document that describes additional ALZ custom policy definitions and initiatives that are not assigned by default in ALZ, but are provided as they may assist some consumers of ALZ in specific scenarios where they can assign these additional policies to help them meet their objectives.