Deploy via the Azure Portal (Preview)
- Change the values on the Deployment Settings blade to the instructions below:
- Choose the Management Group where you wish to deploy the policies and the initiatives. This is usually the so called “pseudo root management group”, for example, in ALZ terminology, this would be the so called “Intermediate Root Management Group” (directly beneath the “Tenant Root Group”).
- Choose the value of
Region
to specify your Azure location of choice. - Change the value of
Resource group for baseline alerts
to the name of the resource group where the activity logs, resource health alerts, actions groups and alert processing rules will be deployed in. - Choose the value of
Resource group location
to specify the location for said resource group. - Choose the value of
Bring Your Own User Assigned Managed Identity
to specify if you want to bring your own user assigned managed identity for monitoring purpose. - Define the value of
User Assigned Managed Identity Name
to specify the name of the user assigned managed identity for monitoring purpose. - Choose the value of
Bring Your Own User Assigned Managed Identity Resource Id
to specify the resource id of the user assigned managed identity if you want to bring your own user assigned managed identity for monitoring purpose. - Choose the value of
Management Subscription Id
to specify the subscription id where the user assigned managed identity will be created. - Choose the value of
Customer Usage Selection Option
Microsoft can identify the deployments of the Azure Resource Manager and Bicep templates with the deployed Azure resources. Microsoft can correlate these resources used to support the deployments. Microsoft collects this information to provide the best experiences with their products and to operate their business. The telemetry is collected through customer usage attribution. The data is collected and governed by Microsoft’s privacy policies, located at the trust center. - Change the value of
Resource Group Tags
to specify the tags to be added to said resource group.
- Change the values on the Management Groups Settings blade to the instructions below:
- Choose the value of
Enterprise Scale Company Management Group
to the management group id for Platform. - Choose the value of
Identity Management Group
to the management group id for Identity. - Choose the value of
Management Management Group
to the management group id for Management. - Choose the value of
Connectivity Management Group
to the management group id for Connectivity. - Choose the value of
Landing Zone Management Group
to the management group id for Landing Zones.
- Choose the value of
Enterprise Scale Company Management Group
to the management group id for Platform. The same management group id may be repeated. - Choose the value of
Identity Management Group
to the management group id for Identity. The same management group id may be repeated. - Choose the value of
Management Management Group
to the management group id for Management. The same management group id may be repeated. - Choose the value of
Connectivity Management Group
to the management group id for Connectivity. The same management group id may be repeated. - Choose the value of
Landing Zone Management Group
to the management group id for Landing Zones. The same management group id may be repeated.
For ease of deployment and maintenance we have kept the same variables.
- Choose the value of
Enterprise Scale Company Management Group
to the pseudo root management group id, also called the “Intermediate Root Management Group”. - Choose the value of
Identity Management Group
to the pseudo root management group id, also called the “Intermediate Root Management Group”. - Choose the value of
Management Management Group
to the pseudo root management group id, also called the “Intermediate Root Management Group”. - Choose the value of
Connectivity Management Group
to the pseudo root management group id, also called the “Intermediate Root Management Group”. - Choose the value of
Landing Zone Management Group
to the pseudo root management group id, also called the “Intermediate Root Management Group”.
For ease of deployment and maintenance we have kept the same variables.
- Change the value of
Enable AMBA Hybrid VM
toYes
This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Arc-enabled Servers. - Change the value of
Enable AMBA Key Management
toYes
This initiative deploys Azure Monitor Baseline Alerts to monitor Key Management Services such as Azure Key Vault, and Managed HSM. - Change the value of
Enable AMBA Load Balancing
toYes
This initiative deploys Azure Monitor Baseline Alerts to monitor Load Balancing Services such as Load Balancer, Application Gateway, Traffic Manager, and Azure Front Door. - Change the value of
Enable AMBA Network Changes
toYes
This initiative implements Azure Monitor Baseline Alerts to monitor alterations in Network Routing and Security, such as modifications to Route Tables and the removal of Network Security Groups. - Change the value of
Enable AMBA Recovery Services
toYes
This initiative deploys Azure Monitor Baseline Alerts to monitor Recovery Services such as Azure Backup, and Azure Site Recovery. - Change the value of
Enable AMBA Storage
toYes
This initiative deploys Azure Monitor Baseline Alerts to monitor Storage Services such as Storage accounts. - Change the value of
Enable AMBA VM
toYes
This initiative deploys Azure Monitor Baseline Alerts to monitor Azure Virtual Machines. - Change the value of
Enable AMBA Web
toYes
This initiative deploys Azure Monitor Baseline Alerts to monitor Web Services such as App Services. - Change the value of
Enable AMBA notification assets
toYes
In this scenario, the deployment will Deploy notification assets for Service Health alerts and wide notifications. - Change the value of
Enable AMBA Service Health
toYes
In this scenario, the deployment will assign the Service Health Policy Set Definition.
While it’s technically possible to not add any notification information (no email, no ARM Role, no Logic App, etc.) it is strongly recommended to configure at least one option.
Change values on the Notification Settings Blade blade to the instructions below:
Change the value of
Bring Your Own Notifications (BYON)
toYes
if you wish to use existing Action Groups and Alert Processing Rule. The BYON feature works by setting the necessary parameter values before running the ALZ pattern deployment. Customers have the choice to either specify one or more existing AGs and one APR or to enter target values so the AG and the APR will be created using the actions specified in the parameter file (including the option to not specify any value and creating an empty AG).Change the value of
Email contact for action group notifications
to the email address(es) where notifications of the alerts (including Service Health alerts) are sent to. Leave the value blank if no email notification is used.Change the value of
Webhook Service Uri
to the URI(s) to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Webhook is used.Choose the value of
Arm Role Id
to the Azure Resource Manager Role(s) where notifications of the alerts (including Service Health alerts) are sent to. Leave the value blank if no Azure Resource Manager Role notification is required.Change the value of
Logicapp Resource Id
to the Logic app resource id to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Logic app is used.Change the value of
Logicapp Callback Url
to the Logic app callback url of the Logic app you want to use as action for the alerts (including Service Health alerts). Leave the value blank if no Logic app is used. To retrieve the callback url you can either use the Get-AzLogicAppTriggerCallbackUrl PowerShell command or navigate to the Logic app in the Azure portal, go to Logic app designer, expand the trigger activity (When an HTTP request is received) and copy the value in the URL field using the 2-sheets icon.Change the value of
Event Hub Resource Id
to the Event Hubs to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Event Hubs is used.Change the value of
Function Resource Id
to the Function resource id to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Function is used.Change the value of
Function Trigger Url
to the Function App trigger url of the function to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Function is used. To retrieve the Function App trigger url with the corresponding code, navigate to the HTTP-triggered functions in the Azure portal, go to Code + Test, select Get function URL from the menu top menu and copy the value in the URL field using the 2-sheets icon.
It is possible use multiple email addresses, as well as multiple Arm Roles, Webhooks or Event Hubs (not recommended as per ALZ guidance). Should you set multiple entries, make sure they are entered as an array. Example:
["action1@contoso.com","action2@contoso.com","action3@contoso.com"]
["https://webhookUri1.webhook.com","http://webhookUri2.webhook.com"]
To remediate non-compliant policies, continue with Policy remediation