Deploy with Azure PowerShell

1. Parameter configuration

To start, you can either download a copy of the parameter file according the version of AMBA-ALZ you are going to deploy or clone/fork the repository.

alzArm.param.json aligned to the latest release
alzArm.param.json aligned to the main branch

The following changes apply to all scenarios, whether you are aligned or unaligned with ALZ or have a single management group.

Change the value of the following parameters at the beginning of parameter file according to the instructions below:
While it’s technically possible to not add any notification information (no email, no ARM Role, no Logic App, etc.) it is strongly recommended to configure at least one option.
- Change the value of enterpriseScaleCompanyPrefix to the management group where you wish to deploy the policies and the initiatives. This is usually the so called “pseudo root management group”, for example, in ALZ terminology, this would be the so called “Intermediate Root Management Group” (directly beneath the “Tenant Root Group”).
- Change the value of bringYourownUserAssignedManagedIdentity to Yes if you have an existing user assigned managed identity with the Monitoring Reader role assigned at the pseudo root management group level or leave it to No if you would like to create a new one with the proper rights as part of the deployment process.
- Change the value of bringYourownUserAssignedManagedIdentityResourceId. If you set the bringYourownUserAssignedManagedIdentity parameter to Yes, insert the resource id of your user assigned managed identity. If you left it with the default value of No, leave the value blank.
- Change the value of userAssignedManagedIdentityName to a name of your preference. This parameter is used only if the bringYourownUserAssignedManagedIdentity has been set to No.
- Change the value of managementSubscriptionId. If you set the bringYourownUserAssignedManagedIdentity parameter to No, enter the subscriptionId of the management subscription, otherwise leave the default value.
- Change the value of ALZMonitorResourceGroupName to the name of the resource group where the activity logs, resource health alerts, actions groups and alert processing rules will be deployed in.
- Change the value of ALZMonitorResourceGroupTags to specify the tags to be added to said resource group.
- Change the value of ALZMonitorResourceGroupLocation to specify the location for said resource group.
- Change the value of ALZMonitorActionGroupEmail to the email address(es) where notifications of the alerts (including Service Health alerts) are sent to. Leave the value blank if no email notification is used.
- Change the value of ALZLogicappResourceId to the Logic app resource id to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Logic app is used.
- Change the value of ALZLogicappCallbackUrl to the Logic app callback url of the Logic app you want to use as action for the alerts (including Service Health alerts). Leave the value blank if no Logic app is used. To retrieve the callback url you can either use the Get-AzLogicAppTriggerCallbackUrl PowerShell command or navigate to the Logic app in the Azure portal, go to Logic app designer, expand the trigger activity (When an HTTP request is received) and copy the value in the URL field using the 2-sheets icon.
- Change the value of ALZArmRoleId to the Azure Resource Manager Role(s) where notifications of the alerts (including Service Health alerts) are sent to. Leave the value blank if no Azure Resource Manager Role notification is required.
- Change the value of ALZEventHubResourceId to the Event Hubs to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Event Hubs is used.
- Change the value of ALZWebhookServiceUri to the URI(s) to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Webhook is used.
- Change the value of ALZFunctionResourceId to the Function resource id to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Function is used.
- Change the value of ALZFunctionTriggerUrl to the Function App trigger url of the function to be used as action for the alerts (including Service Health alerts). Leave the value blank if no Function is used. To retrieve the Function App trigger url with the corresponding code, navigate to the HTTP-triggered functions in the Azure portal, go to Code + Test, select Get function URL from the menu top menu and copy the value in the URL field using the 2-sheets icon.
It is possible use multiple email addresses, as well as multiple Arm Roles, Webhooks or Event Hubs (not recommended as per ALZ guidance). Should you set multiple entries, make sure they are entered as single string with values separated by comma. Example:
```
"ALZMonitorActionGroupEmail": {
  "value": "action1@contoso.com , action2@contoso.com , action3@contoso.com"
  },

"ALZArmRoleId": {
    "value": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635, b24988ac-6180-42a0-ab88-20f7382dd24c"
  },

"ALZWebhookServiceUri": {
  "value": "https://webhookUri1.webhook.com, http://webhookUri2.webhook.com"
},
```
If you would like to disable initiative assignments, you can change the value on one or more of the following parameters; enableAMBAConnectivity, enableAMBAIdentity, enableAMBALandingZone, enableAMBAManagement, enableAMBAServiceHealth to “No”.

If you are aligned to ALZ

Change the value of platformManagementGroup to the management group id for Platform.
Change the value of IdentityManagementGroup to the management group id for Identity.
Change the value of managementManagementGroup to the management group id for Management.
Change the value of connectivityManagementGroup to the management group id for Connectivity.
Change the value of LandingZoneManagementGroup to the management group id for Landing Zones.

If you are unaligned to ALZ

Change the value of platformManagementGroup to the management group id for Platform. The same management group id may be repeated.
Change the value of IdentityManagementGroup to the management group id for Identity. The same management group id may be repeated.
Change the value of managementManagementGroup to the management group id for Management. The same management group id may be repeated.
Change the value of connectivityManagementGroup to the management group id for Connectivity. The same management group id may be repeated.
Change the value of LandingZoneManagementGroup to the management group id for Landing Zones. The same management group id may be repeated.

For ease of deployment and maintenance we have kept the same variables. For example, if you combined Identity, Management and Connectivity into one management group you should configure the variables identityManagementGroup, managementManagementGroup , connectivityManagementGroup and LZManagementGroup with the same management group id.

If you have a single management group

Change the value of platformManagementGroup to the pseudo root management group id, also called the “Intermediate Root Management Group”.
Change the value of IdentityManagementGroup to the pseudo root management group id, also called the “Intermediate Root Management Group”.
Change the value of managementManagementGroup to the pseudo root management group id, also called the “Intermediate Root Management Group”.
Change the value of connectivityManagementGroup to the pseudo root management group id, also called the “Intermediate Root Management Group”.
Change the value of LandingZoneManagementGroup to the pseudo root management group id, also called the “Intermediate Root Management Group”.

For ease of deployment and maintenance we have kept the same variables. Configure the variables enterpriseScaleCompanyPrefix, identityManagementGroup, managementManagementGroup, connectivityManagementGroup and LZManagementGroup with the pseudo root management group id.

2. Example Parameter file

The parameter file shown below has been truncated for brevity, compared to the samples included.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "enterpriseScaleCompanyPrefix": {
      "value": "contoso"
    },
    "platformManagementGroup": {
      "value": "contoso-platform"
    },
    "IdentityManagementGroup": {
      "value": "contoso-identity"
    },
    "managementManagementGroup": {
      "value": "contoso-management"
    },
    "connectivityManagementGroup": {
      "value": "contoso-connectivity"
    },
    "LandingZoneManagementGroup": {
      "value": "contoso-landingzones"
    },
    "enableAMBAConnectivity": {
      "value": "Yes"
    },
    "enableAMBAIdentity": {
      "value": "Yes"
    },
    "enableAMBALandingZone": {
      "value": "Yes"
    },
    "enableAMBAManagement": {
      "value": "Yes"
    },
    "enableAMBAServiceHealth": {
      "value": "Yes"
    },
    "enableAMBANotificationAssets": {
      "value": "Yes"
    },
    "enableAMBAHybridVM": {
      "value": "Yes"
    },
    "telemetryOptOut": {
      "value": "No"
    },
    "bringYourOwnUserAssignedManagedIdentity": {
      "value": "No"
    },
    "bringYourOwnUserAssignedManagedIdentityResourceId": {
      "value": ""
    },
    "userAssignedManagedIdentityName": {
      "value": "id-amba-prod-001"
    },
    "managementSubscriptionId": {
      "value": ""
    },
    "ALZMonitorResourceGroupName": {
      "value": "rg-amba-monitoring-001"
    },
    "ALZMonitorResourceGroupLocation": {
      "value": "eastus"
    },
    "ALZMonitorResourceGroupTags": {
      "value": {
        "Project": "amba-monitoring"
      }
    }
    .
    .
    .
    .
  }
}

3. Configuring variables for deployment

The following changes apply to all scenarios, whether you are aligned or unaligned with ALZ or have a single management group.

Open a PowerShell prompt, navigate to the root of the cloned repo and log on to Azure with an account with at least Resource Policy Contributor access at the root of the management group hierarchy where you will be creating the policies and initiatives.

Run the following commands:

$location = "Your Azure location of choice"
$pseudoRootManagementGroup = "The pseudo root management group id parenting the Platform and Landing Zones management groups"

Above-mentioned “pseudoRootManagementGroup” variable value, being the so called “pseudo root management group id”, should coincide with the value of the “parPolicyPseudoRootMgmtGroup” parameter, as set previously within the parameter files.
The location variable refers to the deployment location. Deploying to multiple regions is not necessary as the definitions and assignments are scoped to a management group and are not region-specific.

4. Deploy the policy definitions, initiatives and policy assignments with default settings

Deploying through PowerShell, requires authentication to Azure and the following modules:
Az.Accounts
Az.Resources
Before starting the deployment, make sure you logged in using the Connect-AzAccount PowerShell command and that the modules above are imported.

The following changes apply to all scenarios, whether you are aligned or unaligned with ALZ or have a single management group.

Using a PowerShell prompt, if you closed your previous session, navigate again to the root of the cloned repo and log on to Azure with an account with at least Resource Policy Contributor access at the root of the management group hierarchy where you will be creating the policies and initiatives and run the command below.

This should be tested in a safe environment. If you are later looking to deploy to prod environments, consider using the guidance found in Customize Policy Assignment, to deploy and enable alerts in a controlled manner.
If you customized the policies as documented at How to modify individual policies, make sure the run the deployment command using your own repository and branch in the -TemplateUri parameter value. Example:
New-AzManagementGroupDeployment -Name "amba-GeneralDeployment" -ManagementGroupId $pseudoRootManagementGroup -Location $location
-TemplateUri "https://raw.githubusercontent.com/***YourGithubFork***/azure-monitor-baseline-alerts/***main or branchname***/patterns/alz/alzArm.json"
-TemplateParameterFile ".\patterns\alz\alzArm.param.json"

New-AzManagementGroupDeployment -Name "amba-GeneralDeployment" -ManagementGroupId $pseudoRootManagementGroup -Location $location -TemplateUri "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2024-11-01/patterns/alz/alzArm.json" -TemplateParameterFile ".\patterns\alz\alzArm.param.json"

Next steps

To remediate non-compliant policies, continue with Policy remediation