Whats new · AzureEnterprise-Scale Wiki

rw-book-cover

Whats new

Jump to bottom

github-actions edited this page Apr 26, 2023 · 116 revisions

In this Section

Enterprise Scale/Azure Landing Zones is updated regularly. This page is where you'll find out about the latest updates to Enterprise Scale/Azure Landing Zones for:

Note: Please check the latest release notes for each of the tools, as these will contain more detailed notes relating to changes in each of the tools.

This article will be updated as and when changes are made to the above and anything else of relevance for Enterprise Scale/Azure Landing Zones. Make sure to check back here often to keep up with new updates and changes.

Important: Previous changes to the above in relation to Enterprise Scale will not be listed here. However going forward, this page will be updated.

Updates

Here's what's changed in Enterprise Scale/Azure Landing Zones:

April 2023

We are pleased to announce that we are starting regular Azure Policy reviews for Azure Landing Zone. This includes a review of new built-in policies released and their suitability for ALZ, built-in policies that can replace custom ALZ policies, built-in policies that have been deprecated and addition of new ALZ custom policies and initiatives as identified based on best practices, issues raised and customer feedback. Most importantly, we have also provided default assignments for all the new policies at the appropriate ALZ Management Group level. This will ensure that all new policies are automatically assigned to the appropriate scope and will be in compliance with the ALZ baseline. This will also ensure that the ALZ is always up to date with the latest Azure Policy definitions.

This update includes many ALZ Azure Policies and Initiatives that have been added or updated to enhance the security, governance, and management of ALZ. As part of our commitment to continuous improvement, we have also enhanced our policy review process, with a focus on transitioning away from deprecated policies where possible, move from custom to built-in policies providing the same or enhanced functionality, and implementing new policies to keep ALZ as part of the current review cycle. We have also implemented non-compliance messages where supported to provide a better user experience when a policy is non-compliant.

This is the first major review and refresh of Azure Policy since ALZ was GA'd. Since GA many new built-in policies and initiatives have been released which has driven the need for this review. We believe that a regular review cycle will allow us to stay on top of emerging trends and new policies, ensuring that our Azure environment remains secure and compliant. Should you identify policies or initiatives that should be considered for ALZ, kindly submit an GitHub issue. For more information, please refer to the ALZ Policies or the new Excel spreadsheet version.

We strongly advise staying up-to-date to ensure the best possible security posture for your Azure environment, see Keep your Azure landing zone up to date. For those with existing deployments or policies, we have provided Brownfield guidance to help you navigate the process of updating to the latest policies. We recognize that there may be breaking changes when upgrading an existing deployment or policies and for details follow our recently released guidance to support you in this process:

Please note that, in some cases, moving to the new Built-In Policy definitions, deploying changes to existing custom policies or removing deprecated policies will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace, Policy Assignment historic data will be stored here as per the retention duration configured. Thank you for your cooperation, and we look forward to continuing to work with you to ensure the security and compliance of our Azure environment.

While we've made every effort to test the stability of this release, should you have any issues and the guidance provided does not resolve your issue, please open a GitHub issue so we can do our best to support you and document the fix for others.

Policy
Breaking Changes

Note that a number of initiatives have been updated that will fail to deploy if you have existing deployments. This is due to the fact that the number of parameters and default values have changed, as we've added or removed policies from the initiative. To resolve this, you will need to remove the existing initiative assignments and then redeploy the updated initiative.

Initiative Name Change Recommended Action
Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit (azadvertizer.net) Removed a deprecated policy, superceding policy is already in the initiative Remove existing initiative assignment, delete the custom initiative and remove the orphaned identity. Deploy the updated initiative.
New
Update
Retire

If you are not using these policies, we advise you remove the assignment at Corp management group level, if you are not utilizing them.

Portal Accelerator
March 2023
Docs
Tooling
February 2023
Policy
Tooling
January 2023
Policy
Other
December 2022
Docs
Original URL New URL
docs/ESLZ-Policies.md wiki/ALZ-Policies
docs/EnterpriseScale-Architecture.md wiki/ALZ-Architecture
docs/EnterpriseScale-Contribution.md wiki/ALZ-Contribution
docs/EnterpriseScale-Deploy-landing-zones.md wiki/ALZ-Deploy-landing-zones
docs/EnterpriseScale-Deploy-reference-implentations.md wiki/ALZ-Deploy-reference-implementations
docs/EnterpriseScale-Deploy-workloads.md wiki/ALZ-Deploy-workloads
docs/EnterpriseScale-Known-Issues.md wiki/ALZ-Known-Issues
docs/EnterpriseScale-Roadmap.md wiki/ALZ-Roadmap
docs/EnterpriseScale-Setup-aad-permissions.md wiki/ALZ-Setup-aad-permissions
docs/EnterpriseScale-Setup-azure.md wiki/ALZ-Setup-azure
Tooling
Policy
Tooling
November 2022
Docs
Tooling
Policy
ALZ Policy ID(s) Azure Builti-in Policy ID(s)
Deploy-Nsg-FlowLogs-to-LA e920df7f-9a64-4066-9b58-52684c02a091
Deploy-Nsg-FlowLogs e920df7f-9a64-4066-9b58-52684c02a091
Deny-PublicIp 6c112d4e-5bc7-47ae-a041-ea2d9dccd749
Other
October 2022
Docs
Tooling
Policy
Other
September 2022
Docs
Tooling
Policy
Other
August 2022
Docs
Tooling
Policy
Other
July 2022
Docs
Tooling
Policy
Other
June 2022
Docs
Tooling
Policy
Other
May 2022
Docs
Tooling
Policy
Other
April 2022
Docs
Tooling
Policy
Other
February 2022
Docs
Tooling
Policy
Other
January 2022
Docs
Tooling
Policy
Policy Definition Display Name Policy Definition ID Note
[Deprecated]: Configure Azure Defender for container registries to be enabled d3d1e68e-49d4-4b56-acff-93cef644b432 REMOVED - Old ACR policy
[Deprecated]: Configure Azure Defender for Kubernetes to be enabled 133047bf-1369-41e3-a3be-74a11ed1395a REMOVED - Old AKS Policy
Configure Microsoft Defender for Containers to be enabled c9ddb292-b203-4738-aead-18e2716e858f ADDED - New grouped containers policy for the new plan
Other
December 2021
Docs

Updated TOC

Policy
November 2021
Docs
Tooling
Policy
Other
October 2021
Docs
Tooling
Policy
Other
September 2021
Docs
Tooling
Policy
Custom ESLZ Policy Name Custom ESLZ Policy Display Name Custom Category Built-In Policy Name/ID Built-In Policy Display Name Built-In Category Notes
Deny-Databricks-NoPublicIp Deny public IPs for Databricks cluster Databricks Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.
Deny-Databricks-Sku Deny non-premium Databricks sku Databricks Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD.
Deny-Databricks-VirtualNetwork Deny Databricks workspaces without Vnet injection Databricks Enforces the use of vnet injection for Databricks workspaces.
Deny-MachineLearning-PublicNetworkAccess Azure Machine Learning should have disabled public network access Machine Learning Denies public network access for Azure Machine Learning workspaces.
Other
August 2021
Docs
Tooling
Policy
Other
July 2021
Docs
Tooling
Policy

You may continue to use the ESLZ custom Azure Policy as it will still function as it does today. However, we recommend you move to assigning the new Built-In version of the Azure Policy.

Please note that moving to the new Built-In Policy Definition will require a new Policy Assignment and removing the previous Policy Assignment, which will mean compliance history for the Policy Assignment will be lost. However, if you have configured your Activity Logs and Security Center to export to a Log Analytics Workspace; Policy Assignment historic data will be stored here as per the retention duration configured.

Policy Definitions Updates

Custom ESLZ Policy Name Custom ESLZ Policy Display Name Custom Category Built-In Policy Name/ID Built-In Policy Display Name Built-In Category Notes
Deny-PublicEndpoint-Aks Public network access on AKS API should be disabled Kubernetes 040732e8-d947-40b8-95d6-854c95024bf8 Azure Kubernetes Service Private Clusters should be enabled Kubernetes
Deny-PublicEndpoint-CosmosDB Public network access should be disabled for CosmosDB SQL 797b37f7-06b8-444c-b1ad-fc62867f335a Azure Cosmos DB should disable public network access Cosmos DB
Deny-PublicEndpoint-KeyVault Public network access should be disabled for KeyVault Key Vault 55615ac9-af46-4a59-874e-391cc3dfb490 [Preview]: Azure Key Vault should disable public network access Key Vault
Deny-PublicEndpoint-MySQL Public network access should be disabled for MySQL SQL c9299215-ae47-4f50-9c54-8a392f68a052 Public network access should be disabled for MySQL flexible servers SQL
Deny-PublicEndpoint-PostgreSql Public network access should be disabled for PostgreSql SQL 5e1de0e3-42cb-4ebc-a86d-61d0c619ca48 Public network access should be disabled for PostgreSQL flexible servers SQL
Deny-PublicEndpoint-Sql Public network access on Azure SQL Database should be disabled SQL 1b8ca024-1d5c-4dec-8995-b1a932b41780 Public network access on Azure SQL Database should be disabled SQL
Deny-PublicEndpoint-Storage Public network access onStorage accounts should be disabled Storage 34c877ad-507e-4c82-993e-3452a6e0ad3c Storage accounts should restrict network access Storage
Deploy-Diagnostics-AKS Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace Monitoring 6c66c325-74c8-42fd-a286-a74b0e2939d Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace Kubernetes
Deploy-Diagnostics-Batch Deploy Diagnostic Settings for Batch to Log Analytics workspace Monitoring c84e5349-db6d-4769-805e-e14037dab9b5 Deploy Diagnostic Settings for Batch Account to Log Analytics workspace Monitoring
Deploy-Diagnostics-DataLakeStore Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace Monitoring d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03 Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace Monitoring
Deploy-Diagnostics-EventHub Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace Monitoring 1f6e93e8-6b31-41b1-83f6-36e449a42579 Deploy Diagnostic Settings for Event Hub to Log Analytics workspace Monitoring
Deploy-Diagnostics-KeyVault Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Monitoring bef3f64c-5290-43b7-85b0-9b254eef4c47 Deploy Diagnostic Settings for Key Vault to Log Analytics workspace Monitoring
Deploy-Diagnostics-LogicAppsWF Deploy Diagnostic Settings for Logic Apps Workflow runtime to Log Analytics workspace Monitoring b889a06c-ec72-4b03-910a-cb169ee18721 Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace Monitoring This is currently not assigned as per #691
Deploy-Diagnostics-RecoveryVault Deploy Diagnostic Settings for Recovery Services vaults to Log Analytics workspace Monitoring c717fb0c-d118-4c43-ab3d-ece30ac81fb3 Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories Backup
Deploy-Diagnostics-SearchServices Deploy Diagnostic Settings for Search Services to Log Analytics workspace Monitoring 08ba64b8-738f-4918-9686-730d2ed79c7d Deploy Diagnostic Settings for Search Services to Log Analytics workspace Monitoring
Deploy-Diagnostics-ServiceBus Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace Monitoring 04d53d87-841c-4f23-8a5b-21564380b55e Deploy Diagnostic Settings for Service Bus to Log Analytics workspace Monitoring
Deploy-Diagnostics-SQLDBs Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace Monitoring b79fa14e-238a-4c2d-b376-442ce508fc84 Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace SQL
Deploy-Diagnostics-StreamAnalytics Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Monitoring 237e0f7e-b0e8-4ec4-ad46-8c12cb66d673 Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace Monitoring
Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint Deploy DNS Zone Group for Storage-Blob Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-DNSZoneGroup-For-File-PrivateEndpoint Deploy DNS Zone Group for Storage-File Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint Deploy DNS Zone Group for Key Vault Private Endpoint Network ac673a9a-f77d-4846-b2d8-a57f8e1c01d4 [Preview]: Configure Azure Key Vaults to use private DNS zones Key Vault
Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint Deploy DNS Zone Group for Storage-Queue Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint Deploy DNS Zone Group for SQL Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-DNSZoneGroup-For-Table-PrivateEndpoint Deploy DNS Zone Group for Storage-Table Private Endpoint Network TBC TBC TBC This policy is still rolling out to the Built-In Definitions at this time. We'll be here very soon!
Deploy-LA-Config Deploy the configurations to the Log Analytics in the subscription Monitoring Policy Removed Policy Removed TBC This policy has been removed as it is handled as a resource deployment in the ARM templates, portal experience and Terraform module.
Deploy-Log-Analytics Deploy the Log Analytics in the subscription Monitoring 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 Configure Log Analytics workspace and automation account to centralize logs and monitoring Monitoring

Policy Initiatives Updates

Custom ESLZ Policy Name Custom ESLZ Policy Display Name Custom Category New Policy Name/ID New Policy Display Name New Category Notes
Deploy-Diag-LogAnalytics Deploy Diagnostic Settings to Azure Services N/A Deploy-Diagnostics-LogAnalytics Deploy Diagnostic Settings to Azure Services Monitoring Moved to using a mix of Built-In (as above) and custom policy definitions
Deny-PublicEndpoints Public network access should be disabled for PAAS services Network Deny-PublicPaaSEndpoints Public network access should be disabled for PaaS services N/A Moved to using Built-In policy definitions only (as above)
New Policy New Policy N/A Deploy-Private-DNS-Zones Configure Azure PaaS services to use private DNS zones Network
Other

No updates, yet.

June 2021
Docs
Tooling
Policy
Other

This wiki is being actively developed

If you discover any documentation bugs or would like to request new content, please raise them as an issue.

Contributions to this wiki are done through the main repo under docs/wiki.