Deploy with Azure PowerShell

Updating from the preview version is not supported. If you deployed the preview version, please follow the steps in Moving from preview to GA before proceeding.

1. Parameter Configuration

To begin, either download the appropriate parameter file for the version of AMBA-ALZ you are deploying or clone/fork the repository.

alzArm.param.json for the latest release.
alzArm.param.json for the main branch.

The following instructions apply universally, regardless of your alignment with ALZ or if you have a single management group.

Modify the values of the following parameters at the beginning of the parameter file as per the instructions below:
It is highly recommended to configure at least one notification option (email, ARM Role, Logic App, etc.) to ensure you receive alerts. Proceeding without any notification settings is not advised.
- Set the value of enterpriseScaleCompanyPrefix to the management group where you intend to deploy the policies and initiatives. Typically, this is the “pseudo root management group.” In ALZ terminology, this refers to the “Intermediate Root Management Group” located directly beneath the “Tenant Root Group.”
- Set the bringYourownUserAssignedManagedIdentity parameter to Yes if you have an existing user-assigned managed identity with the Monitoring Reader role assigned at the pseudo root management group level. Otherwise, leave it set to No to create a new managed identity with the appropriate permissions during the deployment process.
- Update the bringYourownUserAssignedManagedIdentityResourceId parameter. If bringYourownUserAssignedManagedIdentity is set to Yes, provide the resource ID of your user-assigned managed identity. If it is set to No, leave this parameter blank.
- Set the userAssignedManagedIdentityName parameter to a preferred name. This parameter is only used if bringYourownUserAssignedManagedIdentity is set to No.
- Update the managementSubscriptionId parameter. If bringYourownUserAssignedManagedIdentity is set to No, provide the subscription ID of the management subscription. Otherwise, leave it blank.
- Set the ALZMonitorResourceGroupName parameter to the name of the resource group where activity logs, resource health alerts, action groups, and alert processing rules will be deployed.
- Update the ALZMonitorResourceGroupTags parameter to specify the tags to be added to the resource group.
- Set the ALZMonitorResourceGroupLocation parameter to specify the location of the resource group.
- Update the ALZMonitorActionGroupEmail parameter with the email address(es) for alert notifications (including Service Health alerts). Leave it blank if no email notification is required.
- Set the ALZLogicappResourceId parameter to the Logic App resource ID to be used for alert actions (including Service Health alerts). Leave it blank if no Logic App is used.
- Update the ALZLogicappCallbackUrl parameter with the callback URL of the Logic App to be used for alert actions (including Service Health alerts). Leave it blank if no Logic App is used. To retrieve the callback URL, use the Get-AzLogicAppTriggerCallbackUrl PowerShell command or navigate to the Logic App in the Azure portal, go to Logic App Designer, expand the trigger activity (When an HTTP request is received), and copy the URL using the copy icon.
- Update the value of _ALZArmRoleId_ to specify the Azure Resource Manager Role(s) that should receive notifications for the alerts, including Service Health alerts. If no notifications are required for any Azure Resource Manager Role, leave this value blank.
- Update the value of ALZEventHubResourceId to specify the Event Hubs that will be used for alert actions, including Service Health alerts. If no Event Hubs are to be used, leave this value blank.
- Update the ALZEventHubResourceId parameter with the resource ID of the Event Hubs to be used for alert actions, including Service Health alerts. Leave it blank if no Event Hubs are used.
- Update the ALZWebhookServiceUri parameter with the URI(s) of the Webhooks to be used for alert actions, including Service Health alerts. Leave it blank if no Webhooks are used.
- Update the ALZFunctionResourceId parameter with the resource ID of the Function App to be used for alert actions, including Service Health alerts. Leave it blank if no Function App is used.
- Update the ALZFunctionTriggerUrl parameter with the trigger URL of the Function App to be used for alert actions, including Service Health alerts. Leave it blank if no Function App is used. To retrieve the Function App trigger URL with the corresponding code, navigate to the HTTP-triggered functions in the Azure portal, go to Code + Test, select Get function URL from the top menu, and copy the value in the URL field using the copy icon.
You can use multiple email addresses, ARM Roles, Webhooks, or Event Hubs (though using multiple Event Hubs is not recommended as per ALZ guidance). If you set multiple entries, ensure they are entered as a single string with values separated by commas. For example:
```
"ALZMonitorActionGroupEmail": {
    "value": [
        "action1@contoso.com",
        "action2@contoso.com"
    ]
},
"ALZArmRoleId": {
    "value": [
        "8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
        "b24988ac-6180-42a0-ab88-20f7382dd24c"
    ]
},
"ALZWebhookServiceUri": {
    "value": [
        "https://webookURI1.webook.com",
        "http://webookURI2.webook.com"
    ]
}
```
To disable initiative assignments, set the value of any of the following parameters to “No”: enableAMBAConnectivity, enableAMBAIdentity, enableAMBALandingZone, enableAMBAManagement, or enableAMBAServiceHealth.

If you are aligned to ALZ

Set the platformManagementGroup parameter to the management group ID designated for Platform.
Set the IdentityManagementGroup parameter to the management group ID designated for Identity.
Set the managementManagementGroup parameter to the management group ID designated for Management.
Set the connectivityManagementGroup parameter to the management group ID designated for Connectivity.
Set the LandingZoneManagementGroup parameter to the management group ID designated for Landing Zones.

If you are unaligned to ALZ

Set the platformManagementGroup parameter to the management group ID designated for Platform. This ID may be used multiple times.
Set the IdentityManagementGroup parameter to the management group ID designated for Identity. This ID may be used multiple times.
Set the managementManagementGroup parameter to the management group ID designated for Management. This ID may be used multiple times.
Set the connectivityManagementGroup parameter to the management group ID designated for Connectivity. This ID may be used multiple times.
Set the LandingZoneManagementGroup parameter to the management group ID designated for Landing Zones. This ID may be used multiple times.

For streamlined deployment and maintenance, we have retained the same variable names. For instance, if you have consolidated Identity, Management, and Connectivity into a single management group, configure the variables identityManagementGroup, managementManagementGroup, connectivityManagementGroup, and LZManagementGroup with the same management group ID.

If you have a single management group

Set the value of platformManagementGroup to the pseudo root management group ID, also known as the “Intermediate Root Management Group”.
Set the value of IdentityManagementGroup to the pseudo root management group ID, also known as the “Intermediate Root Management Group”.
Set the value of managementManagementGroup to the pseudo root management group ID, also known as the “Intermediate Root Management Group”.
Set the value of connectivityManagementGroup to the pseudo root management group ID, also known as the “Intermediate Root Management Group”.
Set the value of LandingZoneManagementGroup to the pseudo root management group ID, also known as the “Intermediate Root Management Group”.

For streamlined deployment and maintenance, we have retained the same variable names. Configure the variables enterpriseScaleCompanyPrefix, identityManagementGroup, managementManagementGroup, connectivityManagementGroup, and LZManagementGroup with the pseudo root management group ID.

2. Sample Parameter File

The parameter file below is a shortened version for demonstration purposes. Full examples are available in the provided samples.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "enterpriseScaleCompanyPrefix": {
      "value": "contoso"
    },
    "platformManagementGroup": {
      "value": "contoso-platform"
    },
    "IdentityManagementGroup": {
      "value": "contoso-identity"
    },
    "managementManagementGroup": {
      "value": "contoso-management"
    },
    "connectivityManagementGroup": {
      "value": "contoso-connectivity"
    },
    "LandingZoneManagementGroup": {
      "value": "contoso-landingzones"
    },
    "enableAMBAConnectivity": {
      "value": "Yes"
    },
    "enableAMBAIdentity": {
      "value": "Yes"
    },
    "enableAMBAManagement": {
      "value": "Yes"
    },
    "enableAMBAServiceHealth": {
      "value": "Yes"
    },
    "enableAMBANotificationAssets": {
      "value": "Yes"
    },
    "enableAMBAHybridVM": {
      "value": "Yes"
    },
    "enableAMBAKeyManagement": {
      "value": "Yes"
    },
    "enableAMBALoadBalancing": {
      "value": "Yes"
    },
    "enableAMBANetworkChanges": {
      "value": "Yes"
    },
    "enableAMBARecoveryServices": {
      "value": "Yes"
    },
    "enableAMBAStorage": {
      "value": "Yes"
    },
    "enableAMBAVM": {
      "value": "Yes"
    },
    "enableAMBAWeb": {
      "value": "Yes"
    },
    "telemetryOptOut": {
      "value": "No"
    },
    "bringYourOwnUserAssignedManagedIdentity": {
      "value": "No"
    },
    "bringYourOwnUserAssignedManagedIdentityResourceId": {
      "value": ""
    },
    "userAssignedManagedIdentityName": {
      "value": "id-amba-prod-001"
    },
    "managementSubscriptionId": {
      "value": ""
    },
    "ALZMonitorResourceGroupName": {
      "value": "rg-amba-monitoring-001"
    },
    "ALZMonitorResourceGroupLocation": {
      "value": "eastus"
    },
    "ALZMonitorResourceGroupTags": {
      "value": {
        "Project": "amba-monitoring"
      }
    },
    "ALZMonitorDisableTagName": {
      "value": "MonitorDisable"
    },
    "ALZMonitorDisableTagValues": {
      "value": [
        "true",
        "Test",
        "Dev",
        "Sandbox"
      ]
    },
    .
    .
    .
    .
  }
}

3. Configuring Variables for Deployment

These steps are applicable to all scenarios, whether aligned or unaligned with ALZ, or if you have a single management group.

Open a PowerShell prompt and navigate to the root of the cloned repository.
Log in to Azure with an account that has at least Resource Policy Contributor access at the root of the management group hierarchy where you will be creating the policies and initiatives.

Execute the following commands:

$location = "Your Azure location of choice"
$pseudoRootManagementGroup = "The pseudo root management group ID parenting the identity, management, and connectivity management groups"

The pseudoRootManagementGroup variable must match the value of the parPolicyPseudoRootMgmtGroup parameter as defined in the parameter files.
The location variable specifies the deployment region. It is not required to deploy to multiple regions since the definitions and assignments are scoped to a management group and are not region-specific.

4. Deploy Policy Definitions, Initiatives, and Policy Assignments with Default Settings

Deploying through PowerShell requires authentication to Azure and the following modules:
Az.Accounts
Az.Resources
Before starting the deployment, ensure you have logged in using the Connect-AzAccount PowerShell command and that the modules above have been imported.

These steps are applicable to all scenarios, whether aligned or unaligned with ALZ, or if you have a single management group.

If you have closed your previous session, open a PowerShell prompt and navigate to the root of the cloned repository. Log in to Azure with an account that has at least Resource Policy Contributor access at the root of the management group hierarchy where you will be creating the policies and initiatives. Then, run the following command:

For testing purposes, it is recommended to deploy in a safe environment first. When preparing for production deployment, refer to the Customize Policy Assignment guide to deploy and enable alerts in a controlled manner.
If you have customized the policies as described in How to Modify Individual Policies, ensure that you run the deployment command using your own repository and branch in the -TemplateUri parameter. For example:
New-AzManagementGroupDeployment -Name "amba-GeneralDeployment" -ManagementGroupId $pseudoRootManagementGroup -Location $location -TemplateUri "https://raw.githubusercontent.com/***YourGithubFork***/azure-monitor-baseline-alerts/***main or branchname***/patterns/alz/alzArm.json" -TemplateParameterFile ".\patterns\alz\alzArm.param.json"

New-AzManagementGroupDeployment -Name "amba-GeneralDeployment" -ManagementGroupId $pseudoRootManagementGroup -Location $location -TemplateUri "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2024-12-10/patterns/alz/alzArm.json" -TemplateParameterFile ".\patterns\alz\alzArm.param.json"

Next Steps

To remediate non-compliant policies, continue with Policy Remediation.