Extra Policies and Information
This document describes additional ALZ custom policy definitions and initiatives that are not assigned by default in ALZ, but are provided as they may assist some consumers of ALZ in specific scenarios where they can assign these additional policies to help them meet their objectives. We also provide guidance on how to handle certain situations as some of the policies require additional considerations prior to assigning.
For the complete list of Azure Landing Zones custom policies, please use AzAdvertizer, and change
typetoALZ.
ALZ provides several additional policies that are not assigned by default but that can be used for specific scenarios should they be required.
| Policy | Description | Notes |
|---|---|---|
| Audit-Tags-Mandatory | Audit for mandatory tags on resources | Audits resources to ensure they have required tags based on tag array. Does not apply to resource groups. |
| Audit-Tags-Mandatory-RG | Audit for mandatory tags on resource groups | Audits resource groups to ensure they have required tags based on tag array. |
| Deny-Appgw-Without-Waf | Application Gateway should be deployed with WAF enabled | Use to ensure Application Gateways are deployed with Web Application Firewall enabled |
| Deny-Private-Dns-Zones | Deny the creation of private DNS | For organizations that centralize core networking functions, use this policy to prevent the creation of additional Private DNS Zones under specific scopes |
| Deny-Subnet-Without-Penp | Subnets without Private Endpoint Network Policies enabled should be denied | This policy denies the creation of a subnet without Private Endpoint Network Policies enabled. This policy is intended for ‘workload’ subnets, not ‘central infrastructure’ (aka, ‘hub’) subnets. |
| Deny-Subnet-Without-Udr | Subnets should have a User Defined Route | Should you require all network traffic be directed to an appliance for inspection, you can use this policy to ensure UDR is associated with a subnet |
| Deny-Udr-With-Specific-Nexthop | User Defined Routes with ‘Next Hop Type’ set to ‘Internet’ or ‘VirtualNetworkGateway’ should be denied | Refining Deny-Subnet-Without-Udr you can ensure non-compliant UDRs are denied (e.g., bypassing a firewall) |
| Deny-Vnet-Peering | Deny vNet peering | Use to prevent vNet peering under specific scopes (e.g., Sandbox management group) |
| Deny-Vnet-Peering-To-Non-Approved-Vnets | Deny vNet peering to non-approved vNets | Use to control vNet peering under specific scopes, like in the Corp management group, only allow peering to the hub vNet. |
| Deploy-Budget | Deploy a default budget on all subscriptions under the assigned scope | Set a default budget for a specific scope, like setting a $500 budget on all subscriptions in the Sandbox management group |
| Deploy-Sql-Security_20240529 | Deploy-SQL Database built-in SQL security configuration | Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment |
| Deploy-Vnet-Hubspoke | Deploy Virtual Network with peering to the hub | Automatically peer a new virtual network with the hub, for example, in the Corp management group |
| Deploy-Windows-DomainJoin | Deploy Windows Domain Join Extension with Key Vault configuration | Windows Domain Join a virtual machine using domain name and password stored in Key Vault as secrets |
The Azure Landing Zone is designed to be a flexible and scalable solution that can be used by organizations in a variety of industries. However, organizations in regulated industries (FSI, Healthcare, etc.) may need to take additional steps to ensure compliance with industry-specific regulations. These regulations often commonly have a consistent set of controls to cover, like CMK, locking down public endpoints, TLS version enforcement, logging etc.
To support the additional control requirements of these industries, we’re providing the following additional initiatives that enhance the security and compliance posture of the Azure Landing Zone:
Please Note: These are meant to help customers across all regulated industries (FSI, Healthcare, etc.) and not be aligned to specific regulatory controls, as there are already policy initiatives available for these via Azure Policy & Microsoft Defender for Cloud
NoteThe below table is scrollable. On smaller screens, please scroll horizontally to view all columns.
| WSC Option | Assignment Scope (MG) | ID | Assignment Name | Definition Name | Type | Custom/Builtin | Description | Effect |
|---|---|---|---|---|---|---|---|---|
| Customer Managed Keys | Variable * | Enforce-Encryption-CMK_20250218 | Enforce recommended guardrails for Customer Managed Keys | Deny or Audit resources without Encryption with a customer-managed key (CMK) | Initiative | Custom | Deny or Audit resources without Encryption with a customer-managed key (CMK) | Audit |
| AI Bot Service | Variable * | Enforce-Guardrails-BotService | Enforce recommended guardrails for Bot Service | Enforce recommended guardrails for Bot Service | Initiative | Custom | This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones. | Audit |
| AI Search | Variable * | Enforce-Guardrails-CognitiveServices | Enforce recommended guardrails for Cognitive Services | Enforce recommended guardrails for Cognitive Services | Initiative | Custom | This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones. | Audit |
| Machine Learning | Variable * | Enforce-Guardrails-MachineLearning | Enforce recommended guardrails for Machine Learning | Enforce recommended guardrails for Machine Learning | Initiative | Custom | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. | Audit |
| Azure OpenAI | Variable * | Enforce-Guardrails-OpenAI | Enforce recommended guardrails for OpenAI | Enforce recommended guardrails for Open AI (Cognitive Service) | Initiative | Custom | This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones. | Audit |
| Data Explorer | Variable * | Enforce-Guardrails-DataExplorer | Enforce recommended guardrails for Data Explorer | Enforce recommended guardrails for Data Explorer | Initiative | Custom | This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones. | Audit |
| Data Factory | Variable * | Enforce-Guardrails-DataFactory | Enforce recommended guardrails for Data Factory | Enforce recommended guardrails for Data Factory | Initiative | Custom | This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones. | Audit |
| Synapse | Variable * | Enforce-Guardrails-Synapse | Enforce recommended guardrails for Synapse | Enforce recommended guardrails for Synapse workspaces | Initiative | Custom | This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones. | Audit |
| Compute | Variable * | Enforce-Guardrails-Compute | Enforce recommended guardrails for Compute | Enforce recommended guardrails for Compute | Initiative | Custom | This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones. | Audit |
| Virtual Desktop | Variable * | Enforce-Guardrails-VirtualDesktop | Enforce recommended guardrails for Virtual Desktop | Enforce recommended guardrails for Virtual Desktop | Initiative | Custom | This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones. | Audit |
| Container Apps | Variable * | Enforce-Guardrails-ContainerApps | Enforce recommended guardrails for Container Apps | Enforce recommended guardrails for Container Apps | Initiative | Custom | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. | Audit |
| Container Instance | Variable * | Enforce-Guardrails-ContainerInstance | Enforce recommended guardrails for Container Instance | Enforce recommended guardrails for Container Instance | Initiative | Custom | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. | Audit |
| Container Registry | Variable * | Enforce-Guardrails-ContainerRegistry | Enforce recommended guardrails for Container Registry | Enforce recommended guardrails for Container Registry | Initiative | Custom | This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones. | Audit |
| Kubernetes | Variable * | Enforce-Guardrails-Kubernetes | Enforce recommended guardrails for Kubernetes | Enforce recommended guardrails for Kubernetes | Initiative | Custom | This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones. | Audit |
| Cosmos DB | Variable * | Enforce-Guardrails-CosmosDb | Enforce recommended guardrails for Cosmos DB | Enforce recommended guardrails for Cosmos DB | Initiative | Custom | This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones. | Audit |
| MySQL | Variable * | Enforce-Guardrails-MySQL | Enforce recommended guardrails for MySQL | Enforce recommended guardrails for MySQL | Initiative | Custom | This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones. | Audit |
| PostgreSQL | Variable * | Enforce-Guardrails-PostgreSQL | Enforce recommended guardrails for PostgreSQL | Enforce recommended guardrails for PostgreSQL | Initiative | Custom | This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones. | Audit |
| SQL | Variable * | Enforce-Guardrails-SQL | Enforce recommended guardrails for SQL | Enforce recommended guardrails for SQL and SQL Managed Instance | Initiative | Custom | This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones. | Audit |
| Event Grid | Variable * | Enforce-Guardrails-EventGrid | Enforce recommended guardrails for Event Grid | Enforce recommended guardrails for Event Grid | Initiative | Custom | This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones. | Audit |
| Event Hub | Variable * | Enforce-Guardrails-EventHub | Enforce recommended guardrails for Event Hub | Enforce recommended guardrails for Event Hub | Initiative | Custom | This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones. | Audit |
| Service Bus | Variable * | Enforce-Guardrails-ServiceBus | Enforce recommended guardrails for Service Bus | Enforce recommended guardrails for Service Bus | Initiative | Custom | This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones. | Audit |
| Automation Accounts | Variable * | Enforce-Guardrails-Automation | Enforce recommended guardrails for Automation Accounts | Enforce recommended guardrails for Automation Account | Initiative | Custom | This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones. | Audit |
| Key Vault - Supplementary | Variable * | Enforce-Guardrails-KeyVault-Sup | Enforce recommended guardrails for Key Vault Supplementary | Enforce additional recommended guardrails for Key Vault | Initiative | Custom | This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones. | Audit |
| Storage | Variable * | Enforce-Guardrails-Storage | Enforce recommended guardrails for Storage | Enforce recommended guardrails for Storage Account | Initiative | Custom | This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones. | Audit |
| API Management | Variable * | Enforce-Guardrails-APIM | Enforce recommended guardrails for API Management | Enforce recommended guardrails for API Management | Initiative | Custom | This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones. | Audit |
| App Services | Variable * | Enforce-Guardrails-AppServices | Enforce recommended guardrails for App Services | Enforce recommended guardrails for App Service | Initiative | Custom | This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones. | Audit |