Azure Monitor Baseline Alerts
Download AlertsGlossaryGitHubGitHub IssuesToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Updating to release 2024-09-02

***Updating to release 2024-09-02 from previous releases, contains a breaking change. To perform the update, it’s required to remove previously deployed policy definitions, policy set definitions, policy assignments and role assignments. As part of this release we made a script available to clean all the necessary items. It’s strongly recommended that you test the script thoroughly before running on production environment. It isn’t necessary to remove alert definitions that will continue to work in the meantime.

Pre update actions

Before updating to release 2024-09-02, it’s required to remove existing policy definitions, policy set definitions, policy assignments and role assignments. This action is required because of a breaking change caused by the redefinition of some parameters, which allows for more flexibility in disabling the policy remediation or, in some cases, the alerts. Unfortunately not all the alerts can be disabled after creation; only log-based alerts can be. Even if disabling the effect of policy was already possible in AMBA-ALZ, with this release we made sure that all the policies will honor both the PolicyEffect and the MonitorDisable parameters.

In particular, the MonitorDisable feature has been redesigned to allow customer to specify they own existing tag and tag value instead of forcing a hard coded one. Given the ALZ guidance and the best practice of having a consistent tagging definition, it’s only allowed to one parameter name fo r the entire deployment. Instead, parameter value can be different. You can specify an array of values assigned to the same parameter. For instance, you have the Environment tag name consistently applied to several environments, saying Production, Test, Sandbox, and so on and you want to disable alerts for resources, which are in both Test and Sandbox. Now it’s possible by just configuring the parameters for tag name and tag values as reported in the sample screenshot (these are the default values) below:

MonitorDisable* parameters

Complete description of this new/redesigned feature can be found in the MonitorDisable parameter paragraph inside the Disabling Policies page.

Once the policy definitions, policy set definitions, policy assignments and role assignments are removed and the deployment is completed, the execution of Policy remediation will ensure that the new alerts will be created accordingly.

To run the script, complete the following steps:

  1. Open PowerShell
  2. Install the Az.ResourceGraph module: Install-Module Az.ResourceGraph (if not present)
  3. Change directory to patterns\alz\scripts, there you find the Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 script
  4. Configure the $pseudoRootManagementGroup variable using the following command:
$pseudoRootManagementGroup = "The pseudo root management group id parenting the Platform and Landing Zones management groups"

  1. Sign in to the Azure with the Connect-AzAccount command. The account you sign in as needs to have permissions to remove policy definitions, policy set definitions, policy assignments and role assignments at the desired Management Group scope.

  2. Execute the script using one of the following options:

Since PowerShell scripts released as part of the ALZ pattern are not digitally signed they might require you to temporarily change the execution policy if not already set to Unrestricted. Before running the script, check the execution policy settings using this command:

Get-ExecutionPolicy

If the result is everything but Unrestricted, run the following command to change it to Unrestricted

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

At this point, you should be able to run your scripts with no issues. After you finished, you can set the execution policy back to what it was if you like to do so.

Show output of what would happen if deletes executed:

./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf

Execute the script asking for confirmation before deleting the policy definitions, policy set definitions, policy assignments and role assignments deployed by AMBA-ALZ:

./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup

Execute the script without asking for confirmation before deleting the policy definitions, policy set definitions, policy assignments and role assignments deployed by AMBA-ALZ.

./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false