├── .gitattributes ├── .gitconfig ├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── BUG_REPORT.md │ ├── FEATURE_REQUEST.md │ └── Policy_Submission.yml ├── PULL_REQUEST_TEMPLATE.md ├── actions-config │ └── gh-ado-sync-config.json ├── actions-pester │ ├── PTF-TestPolicies.ps1 │ ├── PolicyPesterTestHelper.psm1 │ ├── Test-BuildPolicies.Tests.ps1 │ └── Test-ModifiedPolicies.Tests.ps1 ├── dependabot.yml ├── policies │ └── resourceManagement.yml └── workflows │ ├── check-policy-build.yml │ ├── code-review.yml │ ├── scorecard.yml │ ├── test-portal.yml │ ├── unit-test-policies.yml │ ├── update-alz-tools.yml │ └── wiki-sync.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── LICENSE ├── README.md ├── SECURITY.md ├── SUPPORT.md ├── docs ├── Deploy │ ├── configure-own-environment.md │ ├── deploy-lz-vnet.md │ ├── deploy-new-policy-assignment.md │ ├── deploy-policy-driven-routing.md │ ├── es-schema.md │ └── media │ │ ├── arm-template.png │ │ ├── deployment-scopes.png │ │ ├── ea-account-spn.png │ │ ├── github-workflow-trigger-manual.png │ │ ├── initialize-azops.png │ │ ├── lz-assignments-deployment.png │ │ ├── lz-definition-deployment.png │ │ ├── platform-subscriptions.png │ │ ├── sample-deployment-scope.png │ │ ├── tenant-level-deployment.png │ │ ├── vnet_image1.png │ │ ├── vnet_image10.png │ │ ├── vnet_image11.png │ │ ├── vnet_image12.png │ │ ├── vnet_image13.png │ │ ├── vnet_image2.png │ │ ├── vnet_image3.png │ │ ├── vnet_image4.png │ │ ├── vnet_image5.png │ │ ├── vnet_image6.png │ │ ├── vnet_image7.png │ │ ├── vnet_image8.png │ │ └── vnet_image9.png ├── ESLZ-Policies.md ├── EnterpriseScale-Architecture.md ├── EnterpriseScale-Contribution.md ├── EnterpriseScale-Deploy-landing-zones.md ├── EnterpriseScale-Deploy-reference-implentations.md ├── EnterpriseScale-Deploy-workloads.md ├── EnterpriseScale-Known-Issues.md ├── EnterpriseScale-Roadmap.md ├── EnterpriseScale-Setup-aad-permissions.md ├── EnterpriseScale-Setup-azure.md ├── reference │ ├── Readme.md │ ├── adventureworks │ │ ├── README.md │ │ └── media │ │ │ ├── es-hubspoke.png │ │ │ └── hub-and-spoke-topology.png │ ├── azpol.md │ ├── contoso │ │ ├── Readme.md │ │ └── media │ │ │ ├── global-transit.png │ │ │ └── ns-vwan.png │ ├── lzs │ │ └── armTemplates │ │ │ ├── eslz.json │ │ │ └── portal-eslz.json │ ├── treyresearch │ │ ├── README.md │ │ ├── armTemplates │ │ │ ├── auxiliary │ │ │ │ ├── diagnosticsAndSecurity.json │ │ │ │ ├── hubspoke-connectivity.json │ │ │ │ ├── logAnalytics.json │ │ │ │ ├── logAnalyticsSolutions.json │ │ │ │ ├── lz.json │ │ │ │ ├── mgmtGroups.json │ │ │ │ ├── policies.json │ │ │ │ └── subscriptioSecurityConfig.json │ │ │ ├── es-lite.json │ │ │ ├── es-portal.json │ │ │ └── portal-es-lite.json │ │ └── media │ │ │ └── es-lite.png │ └── wingtip │ │ ├── README.md │ │ └── media │ │ ├── addClientSecret.PNG │ │ ├── basics.PNG │ │ ├── copySecret.PNG │ │ ├── create.PNG │ │ ├── createSecret.png │ │ ├── createSecret2.png │ │ ├── createSecret3.png │ │ ├── createSecret4.png │ │ ├── deploy1.PNG │ │ ├── deploy2.PNG │ │ ├── deploy3.PNG │ │ ├── deploy4.PNG │ │ ├── deploy5.PNG │ │ ├── es-without-networking.PNG │ │ ├── existingSpn.PNG │ │ ├── exit.PNG │ │ ├── lz.PNG │ │ ├── newSpn.PNG │ │ ├── platform.PNG │ │ ├── prefix.PNG │ │ └── secretValue.PNG └── wiki │ ├── ALZ-AMA-FAQ.md │ ├── ALZ-AMA-Migration-Guidance.md │ ├── ALZ-AMA-PowerShell-Script.md │ ├── ALZ-AMA-Update.md │ ├── ALZ-Architecture.md │ ├── ALZ-Contribution-Guide.md │ ├── ALZ-Deploy-landing-zones.md │ ├── ALZ-Deploy-reference-implementations.md │ ├── ALZ-Deploy-workloads.md │ ├── ALZ-Deprecated-Services.md │ ├── ALZ-Known-Issues.md │ ├── ALZ-Policies-Extra.md │ ├── ALZ-Policies-FAQ.md │ ├── ALZ-Policies-Test-Workflow-Sample.md │ ├── ALZ-Policies-Testing.md │ ├── ALZ-Policies.md │ ├── ALZ-Resource-Provider-Recommendations.md │ ├── ALZ-Setup-aad-permissions.md │ ├── ALZ-Setup-azure.md │ ├── Community-Calls.md │ ├── Create-Landingzones.md │ ├── Deploying-ALZ-BasicSetup.md │ ├── Deploying-ALZ-CustomerUsage.md │ ├── Deploying-ALZ-Foundation.md │ ├── Deploying-ALZ-HubAndSpoke.md │ ├── Deploying-ALZ-Platform-DevOps.md │ ├── Deploying-ALZ-Pre-requisites.md │ ├── Deploying-ALZ-VWAN.md │ ├── Deploying-ALZ-ZTNetwork.md │ ├── Deploying-ALZ.md │ ├── Deploying-Enterprise-Scale-BasicSetup.md │ ├── Deploying-Enterprise-Scale-CustomerUsage.md │ ├── Deploying-Enterprise-Scale-Foundation.md │ ├── Deploying-Enterprise-Scale-HubAndSpoke.md │ ├── Deploying-Enterprise-Scale-Platform-DevOps.md │ ├── Deploying-Enterprise-Scale-Pre-requisites.md │ ├── Deploying-Enterprise-Scale-VWAN.md │ ├── Deploying-Enterprise-Scale.md │ ├── FAQ.md │ ├── Home.md │ ├── How-Enterprise-Scale-Works.md │ ├── Migrate-ALZ-Policies-to-Built‐in.md │ ├── Update-ALZ-Custom-Policies-to-Latest.md │ ├── What-is-Enterprise-Scale.md │ ├── Whats-new.md │ ├── _Footer.md │ ├── _Sidebar.md │ └── media │ ├── 1.1.update-alz-custom-policy-def-search.png │ ├── 1.2.update-alz-custom-policy-def-name.png │ ├── 2.1.update-alz-custom-policy-assignments.png │ ├── 2.2.update-alz-custom-policy-delete-assignments.png │ ├── 2.3.update-alz-custom-policy-search.png │ ├── 2.4.update-alz-custom-policy-search.png │ ├── 2023-10-30_RepoTags.png │ ├── ALZ Policy Assignments v2.xlsx │ ├── ALZ-secondaryregion-multisubscription.jpg │ ├── ALZ-secondaryregion-singlesubscription.jpg │ ├── ActiveActive.png │ ├── AzGovViz-ALZ-Policy-outDated.png │ ├── AzGovViz-ALZ-Policy.png │ ├── Connectivity_v0.1.jpg │ ├── Corp_v0.1.jpg │ ├── Decom_v0.1.svg │ ├── ES-process.png │ ├── ESLZ-Company-Prefix-2-singlesubscription.jpg │ ├── ESLZ-Company-Prefix-singlesubscription.jpg │ ├── ESLZ-Company-Prefix.JPG │ ├── ESLZ-Company-Prefix.png │ ├── ESLZ-Update-location-assignment-policy.JPG │ ├── ESLZ-location-assignment-policy.JPG │ ├── ESLZ.gif │ ├── Enterprise Scale - PolicyDefinitionAssignments.xlsx │ ├── HS.png │ ├── Identity_v0.1.jpg │ ├── IntRoot_v0.1.jpg │ ├── LandingZone_v0.1.jpg │ ├── Management_v0.1.jpg │ ├── MgmtGroups_Policies_v0.1.svg │ ├── MvnetHS.png │ ├── MvnetHSPP.png │ ├── North Star process visuals.pptx │ ├── NorthStar Networking images.pptx │ ├── Online_v0.1.jpg │ ├── Platform_v0.1.svg │ ├── Sandbox_v0.1.svg │ ├── WN-RBACCleanup.png │ ├── aad-rolesandadministrators.png │ ├── ado-add-build-policy.png │ ├── ado-complete-pr.png │ ├── ado-env-approval.png │ ├── ado-import-repo.png │ ├── ado-manage-repo.png │ ├── ado-permissions-group.png │ ├── ado-pipeline-create.png │ ├── ado-pipeline-variable.png │ ├── ado-repo-buildservice.png │ ├── ado-repo-forcepush.png │ ├── ado-repo-policy.png │ ├── alz-assign-builtin-policy-01.png │ ├── alz-contrib-portal1.png │ ├── alz-delete-policy-assign-01.png │ ├── alz-delete-policy-def-01.png │ ├── alz-determine-policy-assign-01.png │ ├── alz-determine-policy-assign-02.png │ ├── alz-portal-baselinealerts.jpg │ ├── alz-portal-decommsandbox.jpg │ ├── alz-portal-landingzones.jpg │ ├── alz-update-initiative-with-builtin-01.png │ ├── alz-update-initiative-with-builtin-02.png │ ├── alz-update-initiative-with-builtin-03.png │ ├── alz-update-initiative-with-builtin-04.png │ ├── alz-update-to-builtin-01.png │ ├── alzPolicyAzAdvertizer.png │ ├── ama-migrate-whatif.gif │ ├── ama-migrate.gif │ ├── ama-update-whatif.gif │ ├── ama-update.gif │ ├── azops-create-pr.png │ ├── azops-deployment.png │ ├── azops-initial-commit.png │ ├── azops-inside-root-dir.png │ ├── azops-online-path.png │ ├── azops-policy-assigned-online.png │ ├── azops-policy-disabled.png │ ├── azops-policy-enforcement-mode-change.png │ ├── azops-pr-validate-action.png │ ├── azops-pr-validate-comment.png │ ├── azops-push-workflow.png │ ├── caf-docs-mstone-2-toc.png │ ├── clip_image-iac-1-singlesubscription.jpg │ ├── clip_image-iac-2-singlesubscription.jpg │ ├── clip_image004.jpg │ ├── clip_image006.jpg │ ├── clip_image008.jpg │ ├── clip_image010-1-singlesubscription.jpg │ ├── clip_image010.jpg │ ├── clip_image012.jpg │ ├── clip_image014-1-singlesubscription.jpg │ ├── clip_image014-2-singlesubscription.jpg │ ├── clip_image014-3-singlesubscription.jpg │ ├── clip_image014-singlesubscription.jpg │ ├── clip_image014.jpg │ ├── clip_image014asc-1-singlesubscription.jpg │ ├── clip_image014asc-2-singlesubscription.jpg │ ├── clip_image014asc-3-singlesubscription.jpg │ ├── clip_image014asc-4-singlesubscription.jpg │ ├── clip_image014asc-singlesubscription.jpg │ ├── clip_image014asc.jpg │ ├── clip_image015.png │ ├── clip_image017.jpg │ ├── clip_image018.png │ ├── clip_image020.jpg │ ├── clip_image022.png │ ├── clip_image024.png │ ├── clip_image026.png │ ├── clip_image028.jpg │ ├── clip_image030.jpg │ ├── clip_image032.jpg │ ├── clip_image034.png │ ├── clip_image035.png │ ├── clip_image036a.png │ ├── clip_image036b-0-singlesubscription.png │ ├── clip_image036b-1-singlesubscription.png │ ├── clip_image036b-10-singlesubscription.png │ ├── clip_image036b-11-singlesubscription.png │ ├── clip_image036b-12-singlesubscription.png │ ├── clip_image036b-13-singlesubscription.png │ ├── clip_image036b-2-singlesubscription.png │ ├── clip_image036b-3-singlesubscription.png │ ├── clip_image036b-4-singlesubscription.png │ ├── clip_image036b-5-singlesubscription.png │ ├── clip_image036b-6-singlesubscription.png │ ├── clip_image036b-7-singlesubscription.png │ ├── clip_image036b-8-singlesubscription.png │ ├── clip_image036b-9-singlesubscription.png │ ├── clip_image036b.png │ ├── clip_image036c-1-singlesubscription.png │ ├── clip_image036c-2-singlesubscription.png │ ├── clip_image036c-singlesubscription.png │ ├── clip_image036c.png │ ├── clip_image037-1-singlesubscription.jpg │ ├── clip_image037-2-singlesubscription.jpg │ ├── clip_image037-3-singlesubscription.jpg │ ├── clip_image037-4-singlesubscription.jpg │ ├── clip_image037-5-singlesubscription.jpg │ ├── clip_image037-6-singlesubscription.jpg │ ├── clip_image037.jpg │ ├── clip_image039-singlesubscription.jpg │ ├── clip_image039.jpg │ ├── clip_image040.png │ ├── clip_image042.jpg │ ├── clip_image044.png │ ├── clip_image046.jpg │ ├── clip_image048.jpg │ ├── clip_image050.jpg │ ├── clip_image052.jpg │ ├── clip_image054.jpg │ ├── clip_image056.jpg │ ├── clip_image058.jpg │ ├── clip_image060.jpg │ ├── clip_image062.jpg │ ├── clip_image063.png │ ├── clip_image065.jpg │ ├── clip_image067.jpg │ ├── clip_image069.jpg │ ├── clip_image071.jpg │ ├── clip_image073.jpg │ ├── clip_image074.jpg │ ├── clip_image075.jpg │ ├── clip_image077.jpg │ ├── clip_image078.jpg │ ├── clip_image080.png │ ├── clip_image081.png │ ├── clip_image082.png │ ├── clip_image083.png │ ├── clip_image084.png │ ├── clip_image085.png │ ├── cmanged-nt.png │ ├── community-calls │ ├── april-2023 │ │ ├── ALZ-Community-Call-27-04-2023.pdf │ │ └── alz-april-2023-youtube-screenshot.png │ ├── aug-2021 │ │ ├── ESLZ-Community-Call-25082021.pdf │ │ └── eslz-aug-2021-youtube-screenshot.png │ ├── dec-2023 │ │ ├── ALZ-Community-Call-06122023.pdf │ │ └── youtube-screenshot.png │ ├── jan-2023 │ │ ├── ALZ-Community-Call-31012023.pdf │ │ └── alz-jan-2023-youtube-screenshot.png │ ├── jan-2025 │ │ ├── ALZ-Community-Call-29012025.pdf │ │ └── youtube-thumb.png │ ├── june-2024 │ │ ├── ALZ-Community-Call-12062024.pdf │ │ └── youtube-thumbnail.png │ ├── march-2024 │ │ ├── ALZ-Community-Call-11032024.pdf │ │ └── youtube-thumbnail.png │ ├── may-2022 │ │ ├── ALZ-Community-Call-02052022.pdf │ │ └── alz-may-2022-youtube-screenshot.png │ ├── may-2025 │ │ ├── ALZ-Community-Call-07052025.pdf │ │ └── youtube-thumb.png │ ├── nov-2021 │ │ ├── ESLZ-Community-Call-17112021.pdf │ │ └── eslz-nov-2021-youtube-screenshot.png │ ├── sept-2023 │ │ ├── ALZ-Community-Call-25092023.pdf │ │ └── youtube-screenshot.png │ └── sept-2024 │ │ ├── ALZ-Community-Call-25092024.pdf │ │ └── youtube-thumbnail.png │ ├── cua-parameter.png │ ├── cua-portal-experience-disabled.jpg │ ├── cua-portal-experience-enabled.jpg │ ├── cua-resource.png │ ├── cua-variable.png │ ├── devops.png │ ├── directory-reader.png │ ├── e2e-armtemplate.png │ ├── ea-account-spn.png │ ├── ea.png │ ├── ef73.jpg │ ├── ef73.svg │ ├── eg-net-top.png │ ├── enc-flows.png │ ├── es-hubspoke-nw.png │ ├── es-iab.png │ ├── example-def-in-init-2.png │ ├── example-def-in-init.png │ ├── github_developer_createPAT.png │ ├── github_developer_disablesso.png │ ├── github_developer_enablesso.png │ ├── global-transit.png │ ├── iam.png │ ├── implementation-scope.png │ ├── lz-design.png │ ├── mg-hierarchy-settings.png │ ├── mg-resource-prefix-portal.png │ ├── mgmt-mon.png │ ├── net-con.png │ ├── net-con2.png │ ├── ns-arch.png │ ├── policies-bicep-example.png │ ├── policy-metadata-example.png │ ├── pr-example.png │ ├── sub-org.png │ ├── zt1.png │ ├── zt2.png │ ├── zt3.png │ ├── zt4.png │ ├── zt5-2.png │ ├── zt5.png │ ├── zt6.png │ ├── zt7.png │ ├── zt8.png │ └── zt9.png ├── eslzArm ├── README-AzureChina.md ├── README.md ├── eslz-portal.json ├── eslzArm.json ├── eslzArm.terraform-sync.param.json ├── eslzArm.test.param.hns.json ├── eslzArm.test.param.json ├── eslzArm.test.param.std.json ├── eslzArm.test.param.vwan.json ├── fairfaxeslz-portal.json ├── managementGroupTemplates │ ├── diagSettingsMGs │ │ └── diagSettingsMGs.json │ ├── mgmtGroupStructure │ │ ├── mgmtGroups.json │ │ └── mgmtGroupsLite.json │ ├── policyAssignments │ │ ├── AUDIT-AppGwWafPolicyAssignment.json │ │ ├── AUDIT-PeDnsZonesPolicyAssignment.json │ │ ├── AUDIT-ResourceRGLocationPolicyAssignment.json │ │ ├── AUDIT-TrustedLaunchPolicyAssignment.json │ │ ├── AUDIT-UnusedResourcesPolicyAssignment.json │ │ ├── AUDIT-ZoneResilientPolicyAssignment.json │ │ ├── DENY-AksPrivEscalationPolicyAssignment.json │ │ ├── DENY-AksPrivilegedPolicyAssignment.json │ │ ├── DENY-AksWithoutHttpsPolicyAssignment.json │ │ ├── DENY-ClassicResourceTypesPolicyAssignment.json │ │ ├── DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json │ │ ├── DENY-HybridNetworkingPolicyAssignment.json │ │ ├── DENY-IPForwardingPolicyAssignment.json │ │ ├── DENY-MgmtPortsFromInternetPolicyAssignment.json │ │ ├── DENY-PublicEndpointPolicyAssignment.json │ │ ├── DENY-PublicIpAddressOnNICPolicyAssignment.json │ │ ├── DENY-PublicIpAddressPolicyAssignment.json │ │ ├── DENY-StorageWithoutHttpsPolicyAssignment.json │ │ ├── DENY-SubnetWithoutNsgPolicyAssignment.json │ │ ├── DENY-VMUnmanagedDiskPolicyAssignment.json │ │ ├── DENYACTION-DeleteUAMIAMAPolicyAssignment.json │ │ ├── DINE-ASBPolicyAssignment.json │ │ ├── DINE-ActivityLogPolicyAssignment.json │ │ ├── DINE-AtpOssDbPolicyAssignment.json │ │ ├── DINE-AtpSqlDbPolicyAssignment.json │ │ ├── DINE-ChangeTrackingVMArcPolicyAssignment.json │ │ ├── DINE-ChangeTrackingVMPolicyAssignment.json │ │ ├── DINE-ChangeTrackingVMSSPolicyAssignment.json │ │ ├── DINE-MDEndpointsAMAPolicyAssignment.json │ │ ├── DINE-MDEndpointsPolicyAssignment.json │ │ ├── DINE-MDFCConfigPolicyAssignment.json │ │ ├── DINE-MDFCDefenderSQLAMAPolicyAssignment.json │ │ ├── DINE-PrivateDNSZonesPolicyAssignment.json │ │ ├── DINE-ResourceDiagnosticsPolicyAssignment.json │ │ ├── DINE-SQLAuditingPolicyAssignment.json │ │ ├── DINE-SQLEncryptionPolicyAssignment.json │ │ ├── DINE-SQLThreatPolicyAssignment.json │ │ ├── DINE-VMBackupPolicyAssignment.json │ │ ├── DINE-VMHybridMonitoringPolicyAssignment.json │ │ ├── DINE-VMMonitoringPolicyAssignment.json │ │ ├── DINE-VMSSMonitoringPolicyAssignment.json │ │ ├── ENFORCE-ALZ-DecommissionedPolicyAssignment.json │ │ ├── ENFORCE-ALZ-SandboxPolicyAssignment.json │ │ ├── ENFORCE-AcsbPolicyAssignment.json │ │ ├── ENFORCE-BackupPolicyAssignment.json │ │ ├── ENFORCE-EncryptionCMKPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsAPIMPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsAppServicesPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsAutomationPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsBotServicePolicyAssignment.json │ │ ├── ENFORCE-GuardrailsCognitiveServicesPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsComputePolicyAssignment.json │ │ ├── ENFORCE-GuardrailsContainerAppsPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsContainerInstancePolicyAssignment.json │ │ ├── ENFORCE-GuardrailsContainerRegistryPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsCosmosDbPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsDataExplorerPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsDataFactoryPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsEventGridPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsEventHubPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsKeyVaultPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsKeyVaultSupPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsKubernetesPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsMachineLearningPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsMySQLPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsNetworkPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsOpenAIPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsPostgreSQLPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsSQLPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsServiceBusPolicyAssignment.json │ │ ├── ENFORCE-GuardrailsStoragePolicyAssignment.json │ │ ├── ENFORCE-GuardrailsSynapsePolicyAssignment.json │ │ ├── ENFORCE-GuardrailsVirtualDesktopPolicyAssignment.json │ │ ├── ENFORCE-RegulatoryCompliancePolicyAssignment.json │ │ ├── ENFORCE-SubnetPrivatePolicyAssignment.json │ │ ├── MODIFY-AUM-CheckUpdatesPolicyAssignment.json │ │ ├── MODIFY-DDoSPolicyAssignment.json │ │ ├── china │ │ │ └── mcDINE-MDFCConfigPolicyAssignment.json │ │ └── gov │ │ │ ├── fairfaxDINE-MDFCConfigPolicyAssignment.json │ │ │ └── fairfaxDINE-PrivateDNSZonesPolicyAssignment.json │ ├── policyDefinitions │ │ ├── README.md │ │ ├── initiatives.json │ │ └── policies.json │ ├── roleAssignments │ │ └── roleAssignment.json │ ├── roleDefinitions │ │ ├── README.md │ │ └── customRoleDefinitions.json │ └── subscriptionOrganization │ │ └── subscriptionOrganization.json ├── prerequisites │ └── deployPrerequisites.json ├── resourceGroupTemplates │ ├── azureFirewall.json │ ├── dataCollectionRule-CT.json │ ├── dataCollectionRule-DefenderSQL.json │ ├── dataCollectionRule-VmInsights.json │ ├── ddosProtection.json │ ├── expressRouteCircuit.json │ ├── privateDnsZones.json │ ├── userAssignedIdentity.json │ └── vnetRouteTable.json └── subscriptionTemplates │ ├── ascConfiguration.json │ ├── avnmConfiguration.json │ ├── avnmPolicy.json │ ├── azActivityDiagnostics.json │ ├── azFw-basepolicy.json │ ├── corp-vnet-peering.json │ ├── hubspoke-connectivity.json │ ├── logAnalyticsWorkspace.json │ ├── mdfcConfiguration.json │ ├── nvahubspoke-connectivity.json │ ├── resourceGroup.json │ ├── vnetPeering.json │ ├── vnetPeeringHub.json │ ├── vnetPeeringVwan.json │ ├── vpnGateway.json │ └── vwan-connectivity.json ├── examples ├── 10-create-managementgroup.parameters.json ├── 20-create-child-managementgroup.parameters.json ├── 30-create-policydefinition-at-managementgroup.parameters.json ├── 40-create-policyassignment-at-managementgroup.parameters.json ├── README.md ├── landing-zones │ ├── README.md │ ├── connected-subscription │ │ ├── README.md │ │ └── connectedSubscription.json │ ├── empty-subscription │ │ ├── README.md │ │ └── emptySubscription.json │ ├── subscription-into-managementGroup │ │ ├── README.md │ │ └── subscriptionIntoManagementGroup.json │ ├── subscription-with-rbac │ │ ├── README.md │ │ ├── portal-subscriptionWithRbac.json │ │ └── subscriptionWithRbac.json │ └── tagged-subscription │ │ ├── README.md │ │ └── taggedSubscription.json ├── management-groups │ ├── README.md │ └── child-group │ │ └── child-group.json └── policies │ └── policy-definition │ ├── README.md │ └── policy-definition.json ├── src ├── Alz.Tools │ ├── Alz.Classes │ │ ├── Alz.Classes.psd1 │ │ └── Alz.Classes.psm1 │ ├── Alz.Enums │ │ ├── Alz.Enums.psd1 │ │ └── Alz.Enums.psm1 │ ├── Alz.Tools.psd1 │ ├── Alz.Tools.psm1 │ ├── ProviderApiVersions.zip │ ├── functions │ │ └── Alz.Tools.ps1 │ └── scripts │ │ └── Update-ProviderApiVersionsZip.ps1 ├── portal │ └── release.json ├── resources │ └── Microsoft.Authorization │ │ ├── policyDefinitions │ │ ├── Append-AppService-httpsonly.json │ │ ├── Append-AppService-latestTLS.json │ │ ├── Append-KV-SoftDelete.json │ │ ├── Append-Redis-disableNonSslPort.json │ │ ├── Append-Redis-sslEnforcement.json │ │ ├── Audit-AzureHybridBenefit.json │ │ ├── Audit-Disks-UnusedResourcesCostOptimization.json │ │ ├── Audit-MachineLearning-PrivateEndpointId.json │ │ ├── Audit-PrivateLinkDnsZones.json │ │ ├── Audit-PublicIpAddresses-UnusedResourcesCostOptimization.json │ │ ├── Audit-ServerFarms-UnusedResourcesCostOptimization.json │ │ ├── Audit-Tags-Mandatory-Rg.json │ │ ├── Audit-Tags-Mandatory.json │ │ ├── Deny-AA-child-resources.json │ │ ├── Deny-AFSPaasPublicIP.AzureChinaCloud.json │ │ ├── Deny-APIM-TLS.json │ │ ├── Deny-AppGW-Without-WAF.json │ │ ├── Deny-AppGw-Without-Tls.json │ │ ├── Deny-AppService-without-BYOC.json │ │ ├── Deny-AppServiceApiApp-http.json │ │ ├── Deny-AppServiceFunctionApp-http.json │ │ ├── Deny-AppServiceWebApp-http.json │ │ ├── Deny-AzFw-Without-Policy.json │ │ ├── Deny-CognitiveServices-NetworkAcls.json │ │ ├── Deny-CognitiveServices-Resource-Kinds.json │ │ ├── Deny-CognitiveServices-RestrictOutboundNetworkAccess.json │ │ ├── Deny-Databricks-NoPublicIp.json │ │ ├── Deny-Databricks-Sku.json │ │ ├── Deny-Databricks-VirtualNetwork.json │ │ ├── Deny-EH-MINTLS.json │ │ ├── Deny-EH-Premium-CMK.json │ │ ├── Deny-FileServices-InsecureAuth.json │ │ ├── Deny-FileServices-InsecureKerberos.json │ │ ├── Deny-FileServices-InsecureSmbChannel.json │ │ ├── Deny-FileServices-InsecureSmbVersions.json │ │ ├── Deny-KeyVaultPaasPublicIP.AzureChinaCloud.json │ │ ├── Deny-LogicApp-Public-Network.json │ │ ├── Deny-LogicApps-Without-Https.json │ │ ├── Deny-MachineLearning-Aks.json │ │ ├── Deny-MachineLearning-Compute-SubnetId.json │ │ ├── Deny-MachineLearning-Compute-VmSize.json │ │ ├── Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json │ │ ├── Deny-MachineLearning-ComputeCluster-Scale.json │ │ ├── Deny-MachineLearning-HbiWorkspace.json │ │ ├── Deny-MachineLearning-PublicAccessWhenBehindVnet.json │ │ ├── Deny-MachineLearning-PublicNetworkAccess.json │ │ ├── Deny-MgmtPorts-From-Internet.json │ │ ├── Deny-MySql-http.json │ │ ├── Deny-PostgreSql-http.json │ │ ├── Deny-Private-DNS-Zones.json │ │ ├── Deny-PublicEndpoint-MariaDB.json │ │ ├── Deny-PublicIP.json │ │ ├── Deny-RDP-From-Internet.json │ │ ├── Deny-Redis-http.json │ │ ├── Deny-Service-Endpoints.json │ │ ├── Deny-Sql-minTLS.json │ │ ├── Deny-SqlMi-minTLS.json │ │ ├── Deny-Storage-ContainerDeleteRetentionPolicy.json │ │ ├── Deny-Storage-CopyScope.json │ │ ├── Deny-Storage-CorsRules.json │ │ ├── Deny-Storage-LocalUser.json │ │ ├── Deny-Storage-NetworkAclsBypass.json │ │ ├── Deny-Storage-NetworkAclsVirtualNetworkRules.json │ │ ├── Deny-Storage-ResourceAccessRulesResourceId.json │ │ ├── Deny-Storage-ResourceAccessRulesTenantId.json │ │ ├── Deny-Storage-SFTP.json │ │ ├── Deny-Storage-ServicesEncryption.json │ │ ├── Deny-Storage-minTLS.json │ │ ├── Deny-StorageAccount-CustomDomain.json │ │ ├── Deny-Subnet-Without-Nsg.json │ │ ├── Deny-Subnet-Without-Penp.json │ │ ├── Deny-Subnet-Without-Udr.json │ │ ├── Deny-UDR-With-Specific-NextHop.json │ │ ├── Deny-VNET-Peer-Cross-Sub.json │ │ ├── Deny-VNET-Peering-To-Non-Approved-VNETs.json │ │ ├── Deny-VNet-Peering.json │ │ ├── DenyAction-ActivityLogs.json │ │ ├── DenyAction-DeleteResources.json │ │ ├── DenyAction-DiagnosticLogs.json │ │ ├── Deploy-ASC-SecurityContacts.json │ │ ├── Deploy-ActivityLogs-to-LA-workspace.AzureChinaCloud.json │ │ ├── Deploy-Budget.json │ │ ├── Deploy-Custom-Route-Table.json │ │ ├── Deploy-DDoSProtection.json │ │ ├── Deploy-Default-Udr.AzureChinaCloud.json │ │ ├── Deploy-Default-Udr.AzureUSGovernment.json │ │ ├── Deploy-Diagnostics-AA.json │ │ ├── Deploy-Diagnostics-ACI.json │ │ ├── Deploy-Diagnostics-ACR.json │ │ ├── Deploy-Diagnostics-APIMgmt.json │ │ ├── Deploy-Diagnostics-AVDScalingPlans.json │ │ ├── Deploy-Diagnostics-AnalysisService.json │ │ ├── Deploy-Diagnostics-ApiForFHIR.json │ │ ├── Deploy-Diagnostics-ApplicationGateway.json │ │ ├── Deploy-Diagnostics-Bastion.json │ │ ├── Deploy-Diagnostics-CDNEndpoints.json │ │ ├── Deploy-Diagnostics-CognitiveServices.json │ │ ├── Deploy-Diagnostics-CosmosDB.json │ │ ├── Deploy-Diagnostics-DLAnalytics.json │ │ ├── Deploy-Diagnostics-DataExplorerCluster.json │ │ ├── Deploy-Diagnostics-DataFactory.json │ │ ├── Deploy-Diagnostics-Databricks.json │ │ ├── Deploy-Diagnostics-EventGridSub.json │ │ ├── Deploy-Diagnostics-EventGridSystemTopic.json │ │ ├── Deploy-Diagnostics-EventGridTopic.json │ │ ├── Deploy-Diagnostics-ExpressRoute.json │ │ ├── Deploy-Diagnostics-Firewall.json │ │ ├── Deploy-Diagnostics-FrontDoor.json │ │ ├── Deploy-Diagnostics-Function.json │ │ ├── Deploy-Diagnostics-HDInsight.json │ │ ├── Deploy-Diagnostics-LoadBalancer.json │ │ ├── Deploy-Diagnostics-LogAnalytics.json │ │ ├── Deploy-Diagnostics-LogicAppsISE.json │ │ ├── Deploy-Diagnostics-MariaDB.json │ │ ├── Deploy-Diagnostics-MediaService.json │ │ ├── Deploy-Diagnostics-MlWorkspace.json │ │ ├── Deploy-Diagnostics-MySQL.json │ │ ├── Deploy-Diagnostics-NIC.json │ │ ├── Deploy-Diagnostics-NetworkSecurityGroups.json │ │ ├── Deploy-Diagnostics-PostgreSQL.json │ │ ├── Deploy-Diagnostics-PowerBIEmbedded.json │ │ ├── Deploy-Diagnostics-RedisCache.json │ │ ├── Deploy-Diagnostics-Relay.json │ │ ├── Deploy-Diagnostics-SQLElasticPools.json │ │ ├── Deploy-Diagnostics-SQLMI.json │ │ ├── Deploy-Diagnostics-SignalR.json │ │ ├── Deploy-Diagnostics-TimeSeriesInsights.json │ │ ├── Deploy-Diagnostics-TrafficManager.json │ │ ├── Deploy-Diagnostics-VM.json │ │ ├── Deploy-Diagnostics-VMSS.json │ │ ├── Deploy-Diagnostics-VNetGW.json │ │ ├── Deploy-Diagnostics-VWanS2SVPNGW.json │ │ ├── Deploy-Diagnostics-VirtualNetwork.json │ │ ├── Deploy-Diagnostics-WVDAppGroup.json │ │ ├── Deploy-Diagnostics-WVDHostPools.json │ │ ├── Deploy-Diagnostics-WVDWorkspace.json │ │ ├── Deploy-Diagnostics-WebServerFarm.json │ │ ├── Deploy-Diagnostics-Website.json │ │ ├── Deploy-Diagnostics-iotHub.json │ │ ├── Deploy-FirewallPolicy.json │ │ ├── Deploy-LogicApp-TLS.json │ │ ├── Deploy-MDFC-Arc-SQL-DCR-Association.json │ │ ├── Deploy-MDFC-Arc-SQL-DefenderSQL-DCR.json │ │ ├── Deploy-MDFC-SQL-AMA.json │ │ ├── Deploy-MDFC-SQL-DefenderSQL-DCR.json │ │ ├── Deploy-MDFC-SQL-DefenderSQL.json │ │ ├── Deploy-MySQL-sslEnforcement.json │ │ ├── Deploy-MySQLCMKEffect.AzureChinaCloud.json │ │ ├── Deploy-Nsg-FlowLogs-to-LA.json │ │ ├── Deploy-Nsg-FlowLogs.json │ │ ├── Deploy-PostgreSQL-sslEnforcement.json │ │ ├── Deploy-PostgreSQLCMKEffect.AzureChinaCloud.json │ │ ├── Deploy-Private-DNS-Azure-File-Sync.AzureChinaCloud.json │ │ ├── Deploy-Private-DNS-Azure-KeyVault.AzureChinaCloud.json │ │ ├── Deploy-Private-DNS-Azure-Web.AzureChinaCloud.json │ │ ├── Deploy-Private-DNS-Generic.json │ │ ├── Deploy-SQL-minTLS.json │ │ ├── Deploy-Sql-AuditingSettings.json │ │ ├── Deploy-Sql-SecurityAlertPolicies.json │ │ ├── Deploy-Sql-Tde.json │ │ ├── Deploy-Sql-vulnerabilityAssessments.json │ │ ├── Deploy-Sql-vulnerabilityAssessments_20230706.json │ │ ├── Deploy-SqlMi-minTLS.json │ │ ├── Deploy-Storage-sslEnforcement.json │ │ ├── Deploy-UserAssignedManagedIdentity-VMInsights.json │ │ ├── Deploy-VNET-HubSpoke.json │ │ ├── Deploy-Vm-autoShutdown.json │ │ ├── Deploy-Windows-DomainJoin.json │ │ ├── Modify-NSG.json │ │ └── Modify-UDR.json │ │ ├── policySetDefinitions │ │ ├── Audit-TrustedLaunch.json │ │ ├── Audit-UnusedResourcesCostOptimization.json │ │ ├── Deny-PublicPaaSEndpoints.AzureChinaCloud.json │ │ ├── Deny-PublicPaaSEndpoints.AzureUSGovernment.json │ │ ├── Deny-PublicPaaSEndpoints.json │ │ ├── DenyAction-DeleteProtection.json │ │ ├── Deploy-AUM-CheckUpdates.json │ │ ├── Deploy-Diagnostics-LogAnalytics.AzureChinaCloud.json │ │ ├── Deploy-Diagnostics-LogAnalytics.AzureUSGovernment.json │ │ ├── Deploy-Diagnostics-LogAnalytics.json │ │ ├── Deploy-MDFC-Config.AzureChinaCloud.json │ │ ├── Deploy-MDFC-Config.AzureUSGovernment.json │ │ ├── Deploy-MDFC-Config.json │ │ ├── Deploy-MDFC-Config_20240319.json │ │ ├── Deploy-MDFC-DefenderSQL-AMA.json │ │ ├── Deploy-Private-DNS-Zones.AzureChinaCloud.json │ │ ├── Deploy-Private-DNS-Zones.AzureUSGovernment.json │ │ ├── Deploy-Private-DNS-Zones.json │ │ ├── Deploy-Sql-Security.json │ │ ├── Deploy-Sql-Security_20240529.json │ │ ├── Enforce-ACSB.json │ │ ├── Enforce-ALZ-Decomm.json │ │ ├── Enforce-ALZ-Sandbox.json │ │ ├── Enforce-Backup.json │ │ ├── Enforce-EncryptTransit.json │ │ ├── Enforce-EncryptTransit_20240509.json │ │ ├── Enforce-EncryptTransit_20241211.json │ │ ├── Enforce-Encryption-CMK.AzureChinaCloud.json │ │ ├── Enforce-Encryption-CMK.AzureUSGovernment.json │ │ ├── Enforce-Encryption-CMK.json │ │ ├── Enforce-Encryption-CMK_20250218.json │ │ ├── Enforce-Guardrails-APIM.json │ │ ├── Enforce-Guardrails-AppServices.json │ │ ├── Enforce-Guardrails-Automation.json │ │ ├── Enforce-Guardrails-BotService.json │ │ ├── Enforce-Guardrails-CognitiveServices.json │ │ ├── Enforce-Guardrails-Compute.json │ │ ├── Enforce-Guardrails-ContainerApps.json │ │ ├── Enforce-Guardrails-ContainerInstance.json │ │ ├── Enforce-Guardrails-ContainerRegistry.json │ │ ├── Enforce-Guardrails-CosmosDb.json │ │ ├── Enforce-Guardrails-DataExplorer.json │ │ ├── Enforce-Guardrails-DataFactory.json │ │ ├── Enforce-Guardrails-EventGrid.json │ │ ├── Enforce-Guardrails-EventHub.json │ │ ├── Enforce-Guardrails-KeyVault-Sup.json │ │ ├── Enforce-Guardrails-KeyVault.json │ │ ├── Enforce-Guardrails-Kubernetes.json │ │ ├── Enforce-Guardrails-MachineLearning.json │ │ ├── Enforce-Guardrails-MySQL.json │ │ ├── Enforce-Guardrails-Network.json │ │ ├── Enforce-Guardrails-OpenAI.json │ │ ├── Enforce-Guardrails-PostgreSQL.json │ │ ├── Enforce-Guardrails-SQL.json │ │ ├── Enforce-Guardrails-ServiceBus.json │ │ ├── Enforce-Guardrails-Storage.json │ │ ├── Enforce-Guardrails-Synapse.json │ │ └── Enforce-Guardrails-VirtualDesktop.json │ │ └── roleDefinitions │ │ ├── Application-Owners.json │ │ ├── Network-Management.json │ │ ├── OssDb-Owners.json │ │ ├── Security-Operations.json │ │ └── Subscription-Owner.json ├── scripts │ ├── Export-ResourcesFromARM.ps1 │ ├── Invoke-ActionGenerateEslzArmConfig.ps1 │ ├── Invoke-ActionRegisterSubscriptions.ps1 │ ├── Invoke-ActionRemoveOrphanedRBAC.ps1 │ ├── Invoke-ActionRunEslzArmDeployment.ps1 │ ├── Invoke-AlzCustomPolicyCheckAgainstBuiltIn.ps1 │ ├── New-AlzPoliciesArmTemplate.ps1 │ ├── Set-RBACAmaPolicyAssignment.ps1 │ └── Update-AzureLandingZonesToAMA.ps1 └── templates │ ├── initiatives.bicep │ ├── policies.bicep │ └── roles.bicep ├── tests ├── policy │ ├── Deny-AA-child-resources.Tests.ps1.TODO │ ├── Deny-AppGW-Without-WAF.Tests.ps1 │ ├── Deny-AppServiceApiApp-http.Tests.ps1 │ ├── Deny-AppServiceFunctionApp-http.Tests.ps1 │ ├── Deny-AppServiceWebApp-http.Tests.ps1 │ ├── Deny-FileServices-InsecureAuth.Tests.ps1 │ ├── Deny-FileServices-InsecureKerberos.Tests.ps1 │ ├── Deny-FileServices-InsecureSmbChannel.Tests.ps1 │ ├── Deny-FileServices-InsecureSmbVersions.Tests.ps1 │ ├── Deny-MgmtPorts-From-Internet.Tests.ps1 │ ├── Deny-MySql-http.Tests.ps1 │ ├── Deny-PostgreSql-http.Tests.ps1 │ ├── Deny-Private-DNS-Zones.Tests.ps1 │ ├── Deny-Redis-http.Tests.ps1.TODO │ ├── Deny-Storage-SFTP.Tests.ps1 │ ├── Deny-Storage-minTLS.Tests.ps1 │ ├── Deny-StorageAccount-CustomDomain.Tests.ps1 │ ├── Deny-Subnet-Without-Nsg.Tests.ps1 │ ├── Deny-Subnet-Without-Penp.Tests.ps1 │ ├── Deny-Subnet-Without-Udr.Tests.ps1 │ ├── Deny-UDR-With-Specific-NextHop.Tests.ps1 │ ├── Deny-VNET-Peer-Cross-Sub.Tests.ps1 │ ├── Deny-VNET-Peering-To-Non-Approved-VNETs.Tests.ps1 │ └── Deny-VNet-Peering.Tests.ps1 └── utils │ ├── Generic.Utils.psm1 │ ├── Policy.Utils.psm1 │ ├── Rest.Utils.psm1 │ └── Test.Utils.psm1 ├── utils ├── github │ ├── Set-AlzGitHubLabels.ps1 │ └── alz-repo-standard-labels.csv └── policyTesting │ └── Install-PolicySetDefinitions.ps1 └── workloads └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | # .gitattributes snippet to force users to use same line endings for project. 2 | # 3 | # Handle line endings automatically for files detected as text 4 | # and leave all files detected as binary untouched. 5 | * text=auto 6 | 7 | *.json text eol=lf -------------------------------------------------------------------------------- /.gitconfig: -------------------------------------------------------------------------------- 1 | [core] 2 | longpaths = true 3 | filemode = false 4 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # See for instructions on this file https://help.github.com/articles/about-codeowners/ 2 | 3 | # These owners will be the default owners for everything in 4 | # the repo. Unless a later match takes precedence, 5 | # @global-owner1 and @global-owner2 will be requested for 6 | # review when someone opens a pull request. 7 | 8 | .github/CODEOWNERS @Azure/eslz-codeownersadmins 9 | * @Azure/alz-core-team-technical 10 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/BUG_REPORT.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Bug report \U0001F41B" 3 | about: Report errors or unexpected behaviour 4 | title: 'Bug Report' 5 | labels: bug 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | 12 | 13 | **Describe the bug** 14 | 15 | 16 | **Steps to reproduce** 17 | 18 | 1. 19 | 2. 20 | 21 | **Screenshots** 22 | 23 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/FEATURE_REQUEST.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: "Feature request \U0001F680" 3 | about: Suggest an idea for this project 4 | title: 'Feature Request' 5 | labels: feature 6 | assignees: '' 7 | 8 | --- 9 | 10 | 11 | 12 | 13 | **Describe the solution you'd like** 14 | 15 | -------------------------------------------------------------------------------- /.github/actions-config/gh-ado-sync-config.json: -------------------------------------------------------------------------------- 1 | { 2 | "log_level": "info", 3 | "ado": { 4 | "organization": "CSUSolEng", 5 | "project": "Azure Landing Zones", 6 | "wit": "GitHub Issue", 7 | "states": { 8 | "new": "New", 9 | "closed": "Closed", 10 | "reopened": "New", 11 | "deleted": "Removed", 12 | "active": "In Progress" 13 | }, 14 | "bypassRules": true, 15 | "autoCreate": true, 16 | "areaPath": "Azure Landing Zones" 17 | } 18 | } -------------------------------------------------------------------------------- /.github/actions-pester/PTF-TestPolicies.ps1: -------------------------------------------------------------------------------- 1 | Import-Module -Name $PSScriptRoot\PolicyPesterTestHelper.psm1 -Force -Verbose 2 | Import-Module Pester -Force 3 | 4 | function RunPester 5 | { 6 | param ( 7 | [Parameter()] 8 | [String]$PolicyTest 9 | ) 10 | 11 | $pesterConfiguration = @{ 12 | Run = @{ 13 | Container = New-PesterContainer -Path $PolicyTest 14 | PassThru = $true 15 | } 16 | Output = @{ 17 | Verbosity = 'Detailed' 18 | CIFormat = 'Auto' 19 | } 20 | } 21 | $result = Invoke-Pester -Configuration $pesterConfiguration 22 | #exit $result.FailedCount 23 | } 24 | 25 | $ModifiedFiles = @(Get-PolicyFiles -DiffFilter "M") 26 | if ([String]::IsNullOrEmpty($ModifiedFiles)) 27 | { 28 | Write-Warning "These are the modified policies: $($ModifiedFiles)" 29 | } 30 | else 31 | { 32 | Write-Warning "There are no modified policies" 33 | } 34 | 35 | $AddedFiles = @(Get-PolicyFiles -DiffFilter "A") 36 | if ([String]::IsNullOrEmpty($AddedFiles)) 37 | { 38 | Write-Warning "These are the added policies: $($AddedFiles)" 39 | } 40 | else 41 | { 42 | Write-Warning "There are no added policies" 43 | } 44 | 45 | $ModifiedAddedFiles = $ModifiedFiles + $AddedFiles 46 | 47 | $ModifiedAddedFiles | ForEach-Object { 48 | 49 | $PolicyFile = Split-Path $_ -Leaf 50 | $PolicyFileClean = $PolicyFile -replace ".json", "" 51 | 52 | $testPath = "tests/policy/$($PolicyFileClean).Tests.ps1" 53 | 54 | if (Test-Path $testPath) 55 | { 56 | Write-Warning "Running pester tests on $PolicyFileClean" 57 | RunPester($testPath) 58 | } 59 | else 60 | { 61 | Write-Warning "There are no tests for $PolicyFileClean" 62 | } 63 | } -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | 3 | updates: 4 | - package-ecosystem: "github-actions" 5 | directory: "/" 6 | schedule: 7 | interval: "daily" 8 | -------------------------------------------------------------------------------- /.github/workflows/check-policy-build.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Check Policy Build 3 | 4 | ########################################## 5 | # Start the job on PR for all branches # 6 | ########################################## 7 | 8 | # yamllint disable-line rule:truthy 9 | on: 10 | pull_request: 11 | types: 12 | - opened 13 | - reopened 14 | - synchronize 15 | - ready_for_review 16 | paths: 17 | - "eslzArm/**.json" 18 | - "src/Alz.Tools/**" 19 | - "src/**.json" 20 | - "src/**.bicep" 21 | 22 | ############### 23 | # Set the Job # 24 | ############### 25 | 26 | jobs: 27 | check-policy: 28 | name: Check Policy Build 29 | runs-on: ubuntu-latest 30 | 31 | steps: 32 | - name: Check out repository 33 | uses: actions/checkout@v4 34 | with: 35 | fetch-depth: 0 36 | 37 | - name: Check build 38 | shell: pwsh 39 | run: | 40 | Import-Module Pester -Force 41 | $pesterConfiguration = @{ 42 | Run = @{ 43 | Container = New-PesterContainer -Path "./.github/actions-pester/Test-BuildPolicies.Tests.ps1" 44 | PassThru = $true 45 | } 46 | Output = @{ 47 | Verbosity = 'Detailed' 48 | } 49 | } 50 | $result = Invoke-Pester -Configuration $pesterConfiguration 51 | exit $result.FailedCount -------------------------------------------------------------------------------- /.github/workflows/unit-test-policies.yml: -------------------------------------------------------------------------------- 1 | name: Unit Test Policies 2 | 3 | ########################################## 4 | # Start the job on PR for all branches # 5 | ########################################## 6 | 7 | # yamllint disable-line rule:truthy 8 | on: 9 | pull_request: 10 | types: 11 | - opened 12 | - reopened 13 | - synchronize 14 | - ready_for_review 15 | paths: 16 | - "src/resources/Microsoft.Authorization/policyDefinitions/**.json" 17 | - "src/resources/Microsoft.Authorization/policySetDefinitions/**.json" 18 | workflow_dispatch: {} 19 | 20 | env: 21 | POLICY_DIR: "src/resources/Microsoft.Authorization/policyDefinitions" 22 | POLICYSET_DIR: "src/resources/Microsoft.Authorization/policySetDefinitions" 23 | 24 | jobs: 25 | validate-policy-files: 26 | runs-on: ubuntu-latest 27 | steps: 28 | - name: Checkout 29 | uses: actions/checkout@v4 30 | with: 31 | fetch-depth: 0 32 | ref: ${{github.event.pull_request.head.ref}} 33 | repository: ${{github.event.pull_request.head.repo.full_name}} 34 | - name: Pester Test for Modified Policies 35 | shell: pwsh 36 | run: | 37 | Import-Module Pester -Force 38 | $pesterConfiguration = @{ 39 | Run = @{ 40 | Container = New-PesterContainer -Path "./.github/actions-pester/Test-ModifiedPolicies.Tests.ps1" 41 | PassThru = $true 42 | } 43 | Output = @{ 44 | Verbosity = 'Detailed' 45 | } 46 | } 47 | $result = Invoke-Pester -Configuration $pesterConfiguration 48 | exit $result.FailedCount 49 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # macOS 2 | .DS_Store 3 | 4 | # VSCode 5 | .vs 6 | .vscode/* 7 | !.vscode/settings.json 8 | !.vscode/tasks.json 9 | !.vscode/launch.json 10 | !.vscode/extensions.json 11 | *.code-workspace 12 | .vscode/settings.json 13 | 14 | # GitHub Super Linter 15 | super-linter.log 16 | 17 | src/data/eslzArm.test.deployment.json 18 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## Microsoft Support Policy 4 | 5 | If issues are encountered when deploying these reference implementations users will be able to engage Microsoft support via their usual channels. Please provide correlation IDs where possible when contacting support to be able to investigate issue effectively and in timely fashion. For instruction on how to get deployments and correlation ID, please follow this link [here](https://learn.microsoft.com/azure/azure-resource-manager/templates/deployment-history?tabs=azure-portal#get-deployments-and-correlation-id). 6 | 7 | Following list of issues are within the scope of Microsoft support: 8 | 9 | - Portal deployment of Reference implementations - WingTip, Contoso, AdventureWorks and Trey Research 10 | - Underlying Resource or Resource Provider issues when deploying template (e.g. Management Groups, Policies, Log Analytics Workspace, Virtual WAN, Virtual Network) for any deployment failure 11 | - Subscription Creation via portal experience 12 | - UI elements (e.g., ArmApiController) used in ARM Template 13 | - ARM Deployment Issues e.g. template validation, CheckAccess API etc. 14 | - Customization of Portal Template/Policy and UI Definition by customer/partners 15 | 16 | Any issues that deemed outside of the above list by Microsoft support and/or requires bugfix in the Template or Code in the repo, Microsoft support will redirect user to file the issue on GitHub. 17 | 18 | Project maintainers and community aim to get issues resolved in timely fashion as per community support policy of this repo. 19 | 20 | ## Community Support Policy 21 | 22 | Project maintainers will aim to respond within 3 business days to get a meaningful response for any new issues. 23 | 24 | ## How to file issues and get help 25 | 26 | This project uses GitHub Issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new Issue. 27 | 28 | For help and questions about using this project, please submit a Github issue with corresponding [Issue Labels found here](https://github.com/Azure/Enterprise-Scale/labels). 29 | -------------------------------------------------------------------------------- /docs/Deploy/configure-own-environment.md: -------------------------------------------------------------------------------- 1 | # Deploy Enterprise-Scale reference implementation in your own environment 2 | 3 | This section will guide you through the process of deploy an Enterprise-Scale reference implementation in your own environment. 4 | 5 | To deploy a sample Enterprise-Scale reference implementation, simply choose your favorite implementation (for example Contoso) and click on the Deploy to Azure button. You can use any of the reference implementations included within Enterprise-Scale 6 | 7 | - [WingTip](../reference/wingtip/README.md) 8 | - [AdventureWorks](../reference/adventureworks/README.md) 9 | - [Contoso](../reference/contoso/Readme.md) 10 | 11 | This will create a sample Management Group structure that you can use for starting point. 12 | 13 | ## Move Subscription under Management Groups 14 | 15 | Once the deployment is complete, ensure you move your Subscriptions under the desired Management Groups. -------------------------------------------------------------------------------- /docs/Deploy/deploy-new-policy-assignment.md: -------------------------------------------------------------------------------- 1 | # Deploy Policy assignment 2 | 3 | ⚠️ The content of this article has been moved to [here](https://github.com/Azure/Enterprise-Scale/wiki/Deploying-Enterprise-Scale#create-new-policy-assignment-for-validation) ⚠️ 4 | 5 | ## Next steps 6 | 7 | Once you have deployed new policy assignments, you can start [deploy Landing Zones](../EnterpriseScale-Deploy-landing-zones.md) 8 | -------------------------------------------------------------------------------- /docs/Deploy/media/arm-template.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/arm-template.png -------------------------------------------------------------------------------- /docs/Deploy/media/deployment-scopes.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/deployment-scopes.png -------------------------------------------------------------------------------- /docs/Deploy/media/ea-account-spn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/ea-account-spn.png -------------------------------------------------------------------------------- /docs/Deploy/media/github-workflow-trigger-manual.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/github-workflow-trigger-manual.png -------------------------------------------------------------------------------- /docs/Deploy/media/initialize-azops.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/initialize-azops.png -------------------------------------------------------------------------------- /docs/Deploy/media/lz-assignments-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/lz-assignments-deployment.png -------------------------------------------------------------------------------- /docs/Deploy/media/lz-definition-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/lz-definition-deployment.png -------------------------------------------------------------------------------- /docs/Deploy/media/platform-subscriptions.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/platform-subscriptions.png -------------------------------------------------------------------------------- /docs/Deploy/media/sample-deployment-scope.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/sample-deployment-scope.png -------------------------------------------------------------------------------- /docs/Deploy/media/tenant-level-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/tenant-level-deployment.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image1.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image10.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image11.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image11.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image12.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image12.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image13.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image13.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image2.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image3.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image4.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image5.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image6.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image7.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image8.png -------------------------------------------------------------------------------- /docs/Deploy/media/vnet_image9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/Deploy/media/vnet_image9.png -------------------------------------------------------------------------------- /docs/ESLZ-Policies.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Policies included in Azure Landing Zones reference implementations](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Policies) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Architecture.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Enterprise-Scale Architecture](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Architecture) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Contribution.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Contribution Guide](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Contribution) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Deploy-landing-zones.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Create Landing Zone(s)](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-landing-zones) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Deploy-reference-implentations.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Deploy Enterprise-Scale Reference implementation in your own environment](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-reference-implementations) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Deploy-workloads.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Deploy workloads into the landing zones](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Deploy-workloads) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Known-Issues.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Reference Implementation - Known Issues](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Known-Issues) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Roadmap.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Roadmap](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Roadmap) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Setup-aad-permissions.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Configure Microsoft Entra permissions for Service Principal](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-aad-permissions) 4 | -------------------------------------------------------------------------------- /docs/EnterpriseScale-Setup-azure.md: -------------------------------------------------------------------------------- 1 | # This page has moved to our Wiki 2 | 3 | Please refer to [Configure Azure permissions for ARM tenant deployments](https://github.com/Azure/Enterprise-Scale/wiki/ALZ-Setup-azure) 4 | -------------------------------------------------------------------------------- /docs/reference/adventureworks/media/es-hubspoke.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/adventureworks/media/es-hubspoke.png -------------------------------------------------------------------------------- /docs/reference/adventureworks/media/hub-and-spoke-topology.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/adventureworks/media/hub-and-spoke-topology.png -------------------------------------------------------------------------------- /docs/reference/contoso/media/global-transit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/contoso/media/global-transit.png -------------------------------------------------------------------------------- /docs/reference/contoso/media/ns-vwan.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/contoso/media/ns-vwan.png -------------------------------------------------------------------------------- /docs/reference/lzs/armTemplates/eslz.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "subscriptions": { 6 | "type": "array" 7 | }, 8 | "billingAccount": { 9 | "type": "string" 10 | } 11 | }, 12 | "variables": { 13 | }, 14 | "resources": [ 15 | { 16 | "scope": "/", 17 | "name": "[concat(parameters('subscriptions')[copyIndex()].esSubName)]", 18 | "type": "Microsoft.Subscription/aliases", 19 | "apiVersion": "2020-09-01", 20 | "copy": { 21 | "name": "eslzSubCopy", 22 | "count": "[length(parameters('subscriptions'))]" 23 | }, 24 | "properties": { 25 | "workLoad": "Production", 26 | "displayName": "[concat(parameters('subscriptions')[copyIndex()].esSubName)]", 27 | "billingScope": "[parameters('billingAccount')]", 28 | "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', concat(parameters('subscriptions')[copyIndex()].esMgSelection))]" 29 | } 30 | } 31 | ], 32 | "outputs": { 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /docs/reference/treyresearch/media/es-lite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/treyresearch/media/es-lite.png -------------------------------------------------------------------------------- /docs/reference/wingtip/media/addClientSecret.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/addClientSecret.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/basics.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/basics.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/copySecret.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/copySecret.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/create.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/create.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/createSecret.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/createSecret.png -------------------------------------------------------------------------------- /docs/reference/wingtip/media/createSecret2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/createSecret2.png -------------------------------------------------------------------------------- /docs/reference/wingtip/media/createSecret3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/createSecret3.png -------------------------------------------------------------------------------- /docs/reference/wingtip/media/createSecret4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/createSecret4.png -------------------------------------------------------------------------------- /docs/reference/wingtip/media/deploy1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/deploy1.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/deploy2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/deploy2.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/deploy3.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/deploy3.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/deploy4.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/deploy4.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/deploy5.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/deploy5.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/es-without-networking.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/es-without-networking.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/existingSpn.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/existingSpn.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/exit.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/exit.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/lz.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/lz.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/newSpn.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/newSpn.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/platform.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/platform.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/prefix.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/prefix.PNG -------------------------------------------------------------------------------- /docs/reference/wingtip/media/secretValue.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/reference/wingtip/media/secretValue.PNG -------------------------------------------------------------------------------- /docs/wiki/ALZ-Deploy-workloads.md: -------------------------------------------------------------------------------- 1 | # Deploy workloads into the landing zones 2 | 3 | At this point you have the necessary platform setup and landing zones (subscriptions) created and placed into their respective management groups, being secure, governed, monitored, and enabled for autonomy and are ready for your application teams to do workload deployments, migrations, and net-new development to their landing zones. 4 | 5 | The following workloads outlined here provides best-practices, and curated deployment experiences for your application teams to successfully deploy them into their landing zones (online, corp). 6 | 7 | Please head to the Azure Architecture Page called [Deploy Azure landing zones](https://aka.ms/alz/aac) for more information and links to workload accelerators and much more. 8 | -------------------------------------------------------------------------------- /docs/wiki/Create-Landingzones.md: -------------------------------------------------------------------------------- 1 | ## Create landing zones (subscriptions) via Subscription Vending 2 | 3 | The approach of "Subscription Vending", materializes and standardizes the ALZ "Subscription Democratization" Design Principle, by formulating a process for requesting, deploying and governing Azure Subscriptions, and by doing so enabling the Applications Teams to onboard their workloads in a fast, yet deterministic way. 4 | 5 | For further details, one can look into the following articles: 6 | 7 | - [Deploy Azure landing zones (Subscription Vending)](https://learn.microsoft.com/azure/architecture/landing-zones/landing-zone-deploy#subscription-vending) 8 | - [Subscription vending implementation guidance](https://learn.microsoft.com/azure/architecture/landing-zones/subscription-vending) 9 | 10 | The respective Bicep and Terraform automation / IaC Modules for Subscription Vending, can be found in: 11 | 12 | - [Bicep Subscription Vending](https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/lz/sub-vending) 13 | - [Terraform Subscription Vending](https://registry.terraform.io/modules/Azure/lz-vending/azurerm/latest) 14 | 15 | More broader information on programmatical creation of Azure Subscriptions (EA/MCA/MPA) via the latest APIs, can be found on the following articles: 16 | 17 | - [Enterprise Enrollment (EA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-enterprise-agreement) 18 | - [Microsoft Customer Agreement (MCA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-customer-agreement) 19 | - [Microsoft Partner Agreement (MPA)](https://learn.microsoft.com/azure/cost-management-billing/manage/programmatically-create-subscription-microsoft-partner-agreement) 20 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-ALZ-Platform-DevOps.md: -------------------------------------------------------------------------------- 1 | ## Azure landing zone portal deployment for Platform DevOps and Automation 2 | 3 | ### Important Notice 4 | 5 | As of May 2023, the Azure Portal experience (accelerator) of the ALZ Reference Implementation (RI), will not include the "Platform DevOps and automation" section anymore. 6 | 7 | Consequently, users interested in Platform DevOps and Automation, are encouraged to use either the respective [ALZ Bicep Modules](https://github.com/Azure/ALZ-Bicep), or the [ALZ Terraform Accelerator](https://aka.ms/alz/accelerator). 8 | 9 | > [AzOps](https://github.com/Azure/AzOps) can still be used, if desired, but please see the [AzOps](https://github.com/Azure/AzOps) repo for setup and configuration instructions as well as any support requirements via the repos issues. 10 | 11 | --- 12 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-Enterprise-Scale-BasicSetup.md: -------------------------------------------------------------------------------- 1 | # This page has moved 2 | 3 | Please refer to [Azure landing zone portal accelerator deployment for Small Enterprises](./Deploying-ALZ-BasicSetup) 4 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-Enterprise-Scale-CustomerUsage.md: -------------------------------------------------------------------------------- 1 | # This page has moved 2 | 3 | Please refer to [Telemetry Tracking Using Customer Usage Attribution (PID)](./Deploying-ALZ-CustomerUsage) 4 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-Enterprise-Scale-Foundation.md: -------------------------------------------------------------------------------- 1 | # This page has moved 2 | 3 | Please refer to [Azure landing zone portal accelerator deployment without hybrid connectivity](./Deploying-ALZ-Foundation) 4 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-Enterprise-Scale-HubAndSpoke.md: -------------------------------------------------------------------------------- 1 | # This page has moved 2 | 3 | Please refer to [Deploy Azure landing zone portal accelerator deployment with hub and spoke network topology](./Deploying-ALZ-HubAndSpoke) 4 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-Enterprise-Scale-Platform-DevOps.md: -------------------------------------------------------------------------------- 1 | # This page has moved 2 | 3 | Please refer to [Azure landing zone portal deployment for Platform DevOps and Automation](./Deploying-ALZ-Platform-DevOps) 4 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-Enterprise-Scale-Pre-requisites.md: -------------------------------------------------------------------------------- 1 | # This page has moved 2 | 3 | Please refer to [Azure landing zone portal accelerator Pre-requisites](./Deploying-ALZ-Pre-requisites) 4 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-Enterprise-Scale-VWAN.md: -------------------------------------------------------------------------------- 1 | # This page has moved 2 | 3 | Please refer to [Azure landing zone portal accelerator deployment with Azure VWAN network topology](./Deploying-ALZ-VWAN) 4 | -------------------------------------------------------------------------------- /docs/wiki/Deploying-Enterprise-Scale.md: -------------------------------------------------------------------------------- 1 | # This page has moved 2 | 3 | Please refer to [Deploy Azure landing zone portal accelerator](./Deploying-ALZ) 4 | -------------------------------------------------------------------------------- /docs/wiki/Home.md: -------------------------------------------------------------------------------- 1 | # Azure landing zones User Guide 2 | 3 | > **NOTE:** _Enterprise-Scale is now Azure landing zones_ 4 | 5 | This user guide aims to provide comprehensive end-to-end documentation for the Azure landing zone deployment and configuration experience to accelerate both adoption and deployment. 6 | 7 | Please use the navigation links to browse our content... 8 | -------------------------------------------------------------------------------- /docs/wiki/_Footer.md: -------------------------------------------------------------------------------- 1 | 2 | **This wiki is being actively developed** 3 | 4 | If you discover any documentation bugs or would like to request new content, please raise them as an [issue](https://github.com/Azure/Enterprise-Scale/issues). 5 | 6 | Contributions to this wiki are done through the main repo under [docs/wiki](https://github.com/Azure/Enterprise-Scale/tree/main/docs/wiki). 7 | -------------------------------------------------------------------------------- /docs/wiki/media/1.1.update-alz-custom-policy-def-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/1.1.update-alz-custom-policy-def-search.png -------------------------------------------------------------------------------- /docs/wiki/media/1.2.update-alz-custom-policy-def-name.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/1.2.update-alz-custom-policy-def-name.png -------------------------------------------------------------------------------- /docs/wiki/media/2.1.update-alz-custom-policy-assignments.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/2.1.update-alz-custom-policy-assignments.png -------------------------------------------------------------------------------- /docs/wiki/media/2.2.update-alz-custom-policy-delete-assignments.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/2.2.update-alz-custom-policy-delete-assignments.png -------------------------------------------------------------------------------- /docs/wiki/media/2.3.update-alz-custom-policy-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/2.3.update-alz-custom-policy-search.png -------------------------------------------------------------------------------- /docs/wiki/media/2.4.update-alz-custom-policy-search.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/2.4.update-alz-custom-policy-search.png -------------------------------------------------------------------------------- /docs/wiki/media/2023-10-30_RepoTags.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/2023-10-30_RepoTags.png -------------------------------------------------------------------------------- /docs/wiki/media/ALZ Policy Assignments v2.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ALZ Policy Assignments v2.xlsx -------------------------------------------------------------------------------- /docs/wiki/media/ALZ-secondaryregion-multisubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ALZ-secondaryregion-multisubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/ALZ-secondaryregion-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ALZ-secondaryregion-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/ActiveActive.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ActiveActive.png -------------------------------------------------------------------------------- /docs/wiki/media/AzGovViz-ALZ-Policy-outDated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/AzGovViz-ALZ-Policy-outDated.png -------------------------------------------------------------------------------- /docs/wiki/media/AzGovViz-ALZ-Policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/AzGovViz-ALZ-Policy.png -------------------------------------------------------------------------------- /docs/wiki/media/Connectivity_v0.1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/Connectivity_v0.1.jpg -------------------------------------------------------------------------------- /docs/wiki/media/Corp_v0.1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/Corp_v0.1.jpg -------------------------------------------------------------------------------- /docs/wiki/media/ES-process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ES-process.png -------------------------------------------------------------------------------- /docs/wiki/media/ESLZ-Company-Prefix-2-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ESLZ-Company-Prefix-2-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ESLZ-Company-Prefix-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/ESLZ-Company-Prefix.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ESLZ-Company-Prefix.JPG -------------------------------------------------------------------------------- /docs/wiki/media/ESLZ-Company-Prefix.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ESLZ-Company-Prefix.png -------------------------------------------------------------------------------- /docs/wiki/media/ESLZ-Update-location-assignment-policy.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ESLZ-Update-location-assignment-policy.JPG -------------------------------------------------------------------------------- /docs/wiki/media/ESLZ-location-assignment-policy.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ESLZ-location-assignment-policy.JPG -------------------------------------------------------------------------------- /docs/wiki/media/ESLZ.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ESLZ.gif -------------------------------------------------------------------------------- /docs/wiki/media/Enterprise Scale - PolicyDefinitionAssignments.xlsx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/Enterprise Scale - PolicyDefinitionAssignments.xlsx -------------------------------------------------------------------------------- /docs/wiki/media/HS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/HS.png -------------------------------------------------------------------------------- /docs/wiki/media/Identity_v0.1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/Identity_v0.1.jpg -------------------------------------------------------------------------------- /docs/wiki/media/IntRoot_v0.1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/IntRoot_v0.1.jpg -------------------------------------------------------------------------------- /docs/wiki/media/LandingZone_v0.1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/LandingZone_v0.1.jpg -------------------------------------------------------------------------------- /docs/wiki/media/Management_v0.1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/Management_v0.1.jpg -------------------------------------------------------------------------------- /docs/wiki/media/MvnetHS.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/MvnetHS.png -------------------------------------------------------------------------------- /docs/wiki/media/MvnetHSPP.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/MvnetHSPP.png -------------------------------------------------------------------------------- /docs/wiki/media/North Star process visuals.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/North Star process visuals.pptx -------------------------------------------------------------------------------- /docs/wiki/media/NorthStar Networking images.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/NorthStar Networking images.pptx -------------------------------------------------------------------------------- /docs/wiki/media/Online_v0.1.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/Online_v0.1.jpg -------------------------------------------------------------------------------- /docs/wiki/media/WN-RBACCleanup.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/WN-RBACCleanup.png -------------------------------------------------------------------------------- /docs/wiki/media/aad-rolesandadministrators.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/aad-rolesandadministrators.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-add-build-policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-add-build-policy.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-complete-pr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-complete-pr.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-env-approval.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-env-approval.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-import-repo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-import-repo.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-manage-repo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-manage-repo.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-permissions-group.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-permissions-group.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-pipeline-create.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-pipeline-create.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-pipeline-variable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-pipeline-variable.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-repo-buildservice.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-repo-buildservice.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-repo-forcepush.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-repo-forcepush.png -------------------------------------------------------------------------------- /docs/wiki/media/ado-repo-policy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ado-repo-policy.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-assign-builtin-policy-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-assign-builtin-policy-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-contrib-portal1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-contrib-portal1.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-delete-policy-assign-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-delete-policy-assign-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-delete-policy-def-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-delete-policy-def-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-determine-policy-assign-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-determine-policy-assign-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-determine-policy-assign-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-determine-policy-assign-02.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-portal-baselinealerts.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-portal-baselinealerts.jpg -------------------------------------------------------------------------------- /docs/wiki/media/alz-portal-decommsandbox.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-portal-decommsandbox.jpg -------------------------------------------------------------------------------- /docs/wiki/media/alz-portal-landingzones.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-portal-landingzones.jpg -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-initiative-with-builtin-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-update-initiative-with-builtin-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-initiative-with-builtin-02.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-update-initiative-with-builtin-02.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-initiative-with-builtin-03.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-update-initiative-with-builtin-03.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-initiative-with-builtin-04.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-update-initiative-with-builtin-04.png -------------------------------------------------------------------------------- /docs/wiki/media/alz-update-to-builtin-01.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alz-update-to-builtin-01.png -------------------------------------------------------------------------------- /docs/wiki/media/alzPolicyAzAdvertizer.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/alzPolicyAzAdvertizer.png -------------------------------------------------------------------------------- /docs/wiki/media/ama-migrate-whatif.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ama-migrate-whatif.gif -------------------------------------------------------------------------------- /docs/wiki/media/ama-migrate.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ama-migrate.gif -------------------------------------------------------------------------------- /docs/wiki/media/ama-update-whatif.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ama-update-whatif.gif -------------------------------------------------------------------------------- /docs/wiki/media/ama-update.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ama-update.gif -------------------------------------------------------------------------------- /docs/wiki/media/azops-create-pr.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-create-pr.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-deployment.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-initial-commit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-initial-commit.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-inside-root-dir.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-inside-root-dir.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-online-path.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-online-path.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-policy-assigned-online.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-policy-assigned-online.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-policy-disabled.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-policy-disabled.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-policy-enforcement-mode-change.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-policy-enforcement-mode-change.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-pr-validate-action.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-pr-validate-action.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-pr-validate-comment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-pr-validate-comment.png -------------------------------------------------------------------------------- /docs/wiki/media/azops-push-workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/azops-push-workflow.png -------------------------------------------------------------------------------- /docs/wiki/media/caf-docs-mstone-2-toc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/caf-docs-mstone-2-toc.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image-iac-1-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image-iac-1-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image-iac-2-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image-iac-2-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image004.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image004.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image006.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image006.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image008.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image008.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image010-1-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image010-1-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image010.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image010.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image012.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image012.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014-1-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014-1-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014-2-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014-2-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014-3-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014-3-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014asc-1-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014asc-1-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014asc-2-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014asc-2-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014asc-3-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014asc-3-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014asc-4-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014asc-4-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014asc-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014asc-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image014asc.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image014asc.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image015.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image015.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image017.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image017.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image018.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image018.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image020.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image020.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image022.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image022.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image024.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image024.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image026.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image026.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image028.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image028.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image030.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image030.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image032.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image032.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image034.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image034.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image035.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image035.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036a.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-0-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-0-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-1-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-1-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-10-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-10-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-11-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-11-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-12-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-12-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-13-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-13-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-2-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-2-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-3-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-3-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-4-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-4-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-5-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-5-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-6-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-6-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-7-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-7-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-8-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-8-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b-9-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b-9-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036b.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036b.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036c-1-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036c-1-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036c-2-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036c-2-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036c-singlesubscription.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036c-singlesubscription.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image036c.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image036c.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image037-1-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image037-1-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image037-2-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image037-2-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image037-3-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image037-3-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image037-4-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image037-4-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image037-5-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image037-5-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image037-6-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image037-6-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image037.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image037.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image039-singlesubscription.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image039-singlesubscription.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image039.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image039.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image040.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image040.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image042.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image042.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image044.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image044.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image046.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image046.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image048.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image048.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image050.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image050.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image052.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image052.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image054.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image054.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image056.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image056.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image058.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image058.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image060.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image060.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image062.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image062.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image063.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image063.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image065.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image065.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image067.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image067.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image069.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image069.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image071.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image071.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image073.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image073.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image074.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image074.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image075.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image075.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image077.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image077.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image078.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image078.jpg -------------------------------------------------------------------------------- /docs/wiki/media/clip_image080.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image080.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image081.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image081.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image082.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image082.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image083.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image083.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image084.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image084.png -------------------------------------------------------------------------------- /docs/wiki/media/clip_image085.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/clip_image085.png -------------------------------------------------------------------------------- /docs/wiki/media/cmanged-nt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/cmanged-nt.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/april-2023/ALZ-Community-Call-27-04-2023.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/april-2023/ALZ-Community-Call-27-04-2023.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/april-2023/alz-april-2023-youtube-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/april-2023/alz-april-2023-youtube-screenshot.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/aug-2021/ESLZ-Community-Call-25082021.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/aug-2021/ESLZ-Community-Call-25082021.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/aug-2021/eslz-aug-2021-youtube-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/aug-2021/eslz-aug-2021-youtube-screenshot.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/dec-2023/ALZ-Community-Call-06122023.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/dec-2023/ALZ-Community-Call-06122023.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/dec-2023/youtube-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/dec-2023/youtube-screenshot.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/jan-2023/ALZ-Community-Call-31012023.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/jan-2023/ALZ-Community-Call-31012023.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/jan-2023/alz-jan-2023-youtube-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/jan-2023/alz-jan-2023-youtube-screenshot.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/jan-2025/ALZ-Community-Call-29012025.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/jan-2025/ALZ-Community-Call-29012025.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/jan-2025/youtube-thumb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/jan-2025/youtube-thumb.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/june-2024/ALZ-Community-Call-12062024.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/june-2024/ALZ-Community-Call-12062024.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/june-2024/youtube-thumbnail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/june-2024/youtube-thumbnail.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/march-2024/ALZ-Community-Call-11032024.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/march-2024/ALZ-Community-Call-11032024.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/march-2024/youtube-thumbnail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/march-2024/youtube-thumbnail.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/may-2022/ALZ-Community-Call-02052022.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/may-2022/ALZ-Community-Call-02052022.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/may-2022/alz-may-2022-youtube-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/may-2022/alz-may-2022-youtube-screenshot.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/may-2025/ALZ-Community-Call-07052025.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/may-2025/ALZ-Community-Call-07052025.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/may-2025/youtube-thumb.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/may-2025/youtube-thumb.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/nov-2021/ESLZ-Community-Call-17112021.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/nov-2021/ESLZ-Community-Call-17112021.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/nov-2021/eslz-nov-2021-youtube-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/nov-2021/eslz-nov-2021-youtube-screenshot.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/sept-2023/ALZ-Community-Call-25092023.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/sept-2023/ALZ-Community-Call-25092023.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/sept-2023/youtube-screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/sept-2023/youtube-screenshot.png -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/sept-2024/ALZ-Community-Call-25092024.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/sept-2024/ALZ-Community-Call-25092024.pdf -------------------------------------------------------------------------------- /docs/wiki/media/community-calls/sept-2024/youtube-thumbnail.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/community-calls/sept-2024/youtube-thumbnail.png -------------------------------------------------------------------------------- /docs/wiki/media/cua-parameter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/cua-parameter.png -------------------------------------------------------------------------------- /docs/wiki/media/cua-portal-experience-disabled.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/cua-portal-experience-disabled.jpg -------------------------------------------------------------------------------- /docs/wiki/media/cua-portal-experience-enabled.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/cua-portal-experience-enabled.jpg -------------------------------------------------------------------------------- /docs/wiki/media/cua-resource.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/cua-resource.png -------------------------------------------------------------------------------- /docs/wiki/media/cua-variable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/cua-variable.png -------------------------------------------------------------------------------- /docs/wiki/media/devops.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/devops.png -------------------------------------------------------------------------------- /docs/wiki/media/directory-reader.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/directory-reader.png -------------------------------------------------------------------------------- /docs/wiki/media/e2e-armtemplate.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/e2e-armtemplate.png -------------------------------------------------------------------------------- /docs/wiki/media/ea-account-spn.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ea-account-spn.png -------------------------------------------------------------------------------- /docs/wiki/media/ea.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ea.png -------------------------------------------------------------------------------- /docs/wiki/media/ef73.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ef73.jpg -------------------------------------------------------------------------------- /docs/wiki/media/ef73.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /docs/wiki/media/eg-net-top.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/eg-net-top.png -------------------------------------------------------------------------------- /docs/wiki/media/enc-flows.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/enc-flows.png -------------------------------------------------------------------------------- /docs/wiki/media/es-hubspoke-nw.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/es-hubspoke-nw.png -------------------------------------------------------------------------------- /docs/wiki/media/es-iab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/es-iab.png -------------------------------------------------------------------------------- /docs/wiki/media/example-def-in-init-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/example-def-in-init-2.png -------------------------------------------------------------------------------- /docs/wiki/media/example-def-in-init.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/example-def-in-init.png -------------------------------------------------------------------------------- /docs/wiki/media/github_developer_createPAT.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/github_developer_createPAT.png -------------------------------------------------------------------------------- /docs/wiki/media/github_developer_disablesso.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/github_developer_disablesso.png -------------------------------------------------------------------------------- /docs/wiki/media/github_developer_enablesso.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/github_developer_enablesso.png -------------------------------------------------------------------------------- /docs/wiki/media/global-transit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/global-transit.png -------------------------------------------------------------------------------- /docs/wiki/media/iam.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/iam.png -------------------------------------------------------------------------------- /docs/wiki/media/implementation-scope.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/implementation-scope.png -------------------------------------------------------------------------------- /docs/wiki/media/lz-design.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/lz-design.png -------------------------------------------------------------------------------- /docs/wiki/media/mg-hierarchy-settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/mg-hierarchy-settings.png -------------------------------------------------------------------------------- /docs/wiki/media/mg-resource-prefix-portal.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/mg-resource-prefix-portal.png -------------------------------------------------------------------------------- /docs/wiki/media/mgmt-mon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/mgmt-mon.png -------------------------------------------------------------------------------- /docs/wiki/media/net-con.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/net-con.png -------------------------------------------------------------------------------- /docs/wiki/media/net-con2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/net-con2.png -------------------------------------------------------------------------------- /docs/wiki/media/ns-arch.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/ns-arch.png -------------------------------------------------------------------------------- /docs/wiki/media/policies-bicep-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/policies-bicep-example.png -------------------------------------------------------------------------------- /docs/wiki/media/policy-metadata-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/policy-metadata-example.png -------------------------------------------------------------------------------- /docs/wiki/media/pr-example.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/pr-example.png -------------------------------------------------------------------------------- /docs/wiki/media/sub-org.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/sub-org.png -------------------------------------------------------------------------------- /docs/wiki/media/zt1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt1.png -------------------------------------------------------------------------------- /docs/wiki/media/zt2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt2.png -------------------------------------------------------------------------------- /docs/wiki/media/zt3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt3.png -------------------------------------------------------------------------------- /docs/wiki/media/zt4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt4.png -------------------------------------------------------------------------------- /docs/wiki/media/zt5-2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt5-2.png -------------------------------------------------------------------------------- /docs/wiki/media/zt5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt5.png -------------------------------------------------------------------------------- /docs/wiki/media/zt6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt6.png -------------------------------------------------------------------------------- /docs/wiki/media/zt7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt7.png -------------------------------------------------------------------------------- /docs/wiki/media/zt8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt8.png -------------------------------------------------------------------------------- /docs/wiki/media/zt9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/docs/wiki/media/zt9.png -------------------------------------------------------------------------------- /eslzArm/README.md: -------------------------------------------------------------------------------- 1 | # Enterprise-Scale Landing Zones ARM templates 2 | 3 | > The content that was previously here has been archived as it is no longer relevant. Please follow the guidance in the [ALZ Wiki](https://aka.ms/alz/wiki) for the latest information on how to deploy Enterprise-Scale Landing Zones. 4 | > To view the content that was previously here, refer to the [archive](https://github.com/Azure/Enterprise-Scale/blob/45d5c2bd8c1a9e19b1a46a3a0dabb311e5320b64/eslzArm/README.md). 5 | 6 | This folder contains the first-party ARM templates for Enterprise-Scale which and are being used when deploying and bootstrapping in the Azure Portal. -------------------------------------------------------------------------------- /eslzArm/managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "logAnalyticsResourceId": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Provide the resourceId to the central Log Analytics workspace." 9 | } 10 | } 11 | }, 12 | "variables": { 13 | }, 14 | "resources": [ 15 | { 16 | "type": "Microsoft.Insights/diagnosticSettings", 17 | "apiVersion": "2021-05-01-preview", 18 | "name": "toLa", 19 | "properties": { 20 | "workspaceId": "[parameters('logAnalyticsResourceId')]", 21 | "logs": [ 22 | { 23 | "category": "Administrative", 24 | "enabled": true 25 | }, 26 | { 27 | "category": "Policy", 28 | "enabled": true 29 | } 30 | ] 31 | } 32 | } 33 | ] 34 | } -------------------------------------------------------------------------------- /eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "enforcementMode": { 6 | "type": "string", 7 | "allowedValues": [ 8 | "Default", 9 | "DoNotEnforce" 10 | ], 11 | "defaultValue": "Default" 12 | } 13 | }, 14 | "variables": { 15 | "policyDefinitions": { 16 | "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", 17 | "policyVersion": "9.*.*" 18 | }, 19 | "policyAssignmentNames": { 20 | "denyAksPriv": "Deny-Privileged-AKS", 21 | "description": "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc.", 22 | "displayName": "Kubernetes cluster should not allow privileged containers" 23 | } 24 | }, 25 | "resources": [ 26 | { 27 | "type": "Microsoft.Authorization/policyAssignments", 28 | "apiVersion": "2024-04-01", 29 | "name": "[variables('policyAssignmentNames').denyAksPriv]", 30 | "properties": { 31 | "description": "[variables('policyAssignmentNames').description]", 32 | "displayName": "[variables('policyAssignmentNames').displayName]", 33 | "policyDefinitionId": "[variables('policyDefinitions').denyAksPriv]", 34 | "definitionVersion": "[variables('policyDefinitions').policyVersion]", 35 | "enforcementMode": "[parameters('enforcementMode')]", 36 | "parameters": { 37 | "effect": { 38 | "value": "deny" 39 | } 40 | } 41 | } 42 | } 43 | ], 44 | "outputs": {} 45 | } -------------------------------------------------------------------------------- /eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "enforcementMode": { 6 | "type": "string", 7 | "allowedValues": [ 8 | "Default", 9 | "DoNotEnforce" 10 | ], 11 | "defaultValue": "Default" 12 | } 13 | }, 14 | "variables": { 15 | "policyDefinitions": { 16 | "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", 17 | "policyVersion": "8.*.*" 18 | }, 19 | "policyAssignmentNames": { 20 | "denyHttpIngressAks": "Enforce-AKS-HTTPS", 21 | "description": "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc", 22 | "displayName": "Kubernetes clusters should be accessible only over HTTPS" 23 | } 24 | }, 25 | "resources": [ 26 | { 27 | "type": "Microsoft.Authorization/policyAssignments", 28 | "apiVersion": "2024-04-01", 29 | "name": "[variables('policyAssignmentNames').denyHttpIngressAks]", 30 | "properties": { 31 | "description": "[variables('policyAssignmentNames').description]", 32 | "displayName": "[variables('policyAssignmentNames').displayName]", 33 | "policyDefinitionId": "[variables('policyDefinitions').denyHttpIngressAks]", 34 | "definitionVersion": "[variables('policyDefinitions').policyVersion]", 35 | "enforcementMode": "[parameters('enforcementMode')]", 36 | "parameters": { 37 | "effect": { 38 | "value": "deny" 39 | } 40 | } 41 | } 42 | } 43 | ], 44 | "outputs": {} 45 | } -------------------------------------------------------------------------------- /eslzArm/managementGroupTemplates/policyDefinitions/README.md: -------------------------------------------------------------------------------- 1 | # Information relating to `policies.json` and `initiatives.json` 2 | 3 | The `policies.json` and `initiatives.json` deployment templates provides a unified deployment experience for creating all Policy Definitions and Policy Set Definitions (Initiatives) as recommended for the Azure landing zone reference implementation. 4 | 5 | This templates are designed to work across the following clouds, ensuring the supported combination of policies are created in the customer environment: 6 | 7 | - AzureCloud (Public) 8 | - AzureChinaCloud (Azure China / 21Vianet) 9 | - AzureUSGovernment (US Government) 10 | 11 | > **IMPORTANT:** 12 | > Please note that the `policies.json` and `initiatives.json` files located in this directory is programmatically generated and **must not** be manually edited. 13 | > When making changes to policies, please refer to the [policies.bicep](../../../src/templates/policies.bicep) and [initiatives.bicep](../../../src/templates/initiatives.bicep) files. 14 | 15 | 16 | *further guidance to follow* 17 | -------------------------------------------------------------------------------- /eslzArm/managementGroupTemplates/roleAssignments/roleAssignment.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "topLevelManagementGroupPrefix": { 6 | "type": "string" 7 | }, 8 | "principalId": { 9 | "type": "string" 10 | }, 11 | "roleDefinitionId": { 12 | "type": "string" 13 | }, 14 | "principalType": { 15 | "type": "string", 16 | "defaultValue": "ServicePrincipal" 17 | } 18 | }, 19 | "variables": { 20 | "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]" 21 | }, 22 | "resources": [ 23 | { 24 | "type": "Microsoft.Authorization/roleAssignments", 25 | "apiVersion": "2019-04-01-preview", 26 | "name": "[guid(concat(parameters('topLevelManagementGroupPrefix'), parameters('roleDefinitionId')))]", 27 | "properties": { 28 | "principalType": "[parameters('principalType')]", 29 | "roleDefinitionId": "[variables('roleDefinitionId')]", 30 | "principalId": "[parameters('principalId')]" 31 | } 32 | } 33 | ] 34 | } -------------------------------------------------------------------------------- /eslzArm/managementGroupTemplates/roleDefinitions/README.md: -------------------------------------------------------------------------------- 1 | # Information relating to `customRoleDefinitions.json` 2 | 3 | The `customRoleDefinitions.json` deployment template provides a unified deployment experience for creating all Role Definitions as recommended for the Azure landing zone reference implementation. 4 | 5 | This template is designed to work across the following clouds, ensuring the supported combination of roles are created in the customer environment: 6 | 7 | - AzureCloud (Public) 8 | - AzureChinaCloud (Azure China / 21Vianet) 9 | - AzureUSGovernment (US Government) 10 | 11 | > **IMPORTANT:** 12 | > Please note that the `customRoleDefinitions.json` file located in this directory is programmatically generated and **must not** be manually edited. 13 | > When making changes to policies, please refer to the [roles.bicep](../../../src/templates/roles.bicep) file. 14 | 15 | 16 | *further guidance to follow* 17 | -------------------------------------------------------------------------------- /eslzArm/managementGroupTemplates/subscriptionOrganization/subscriptionOrganization.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "targetManagementGroupId": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Provide the management group id (e.g. 'eslz-corp')" 9 | } 10 | }, 11 | "subscriptionId": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Provide the subscriptionId you will place into the management group" 15 | } 16 | } 17 | }, 18 | "resources": [ 19 | { 20 | "scope": "/", 21 | "type": "Microsoft.Management/managementGroups/subscriptions", 22 | "apiVersion": "2020-05-01", 23 | "name": "[concat(parameters('targetManagementGroupId'), '/', parameters('subscriptionId'))]", 24 | "properties": { 25 | } 26 | } 27 | ], 28 | "outputs": {} 29 | } -------------------------------------------------------------------------------- /eslzArm/resourceGroupTemplates/azureFirewall.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/eslzArm/resourceGroupTemplates/azureFirewall.json -------------------------------------------------------------------------------- /eslzArm/resourceGroupTemplates/ddosProtection.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "ddosName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Provide a name for the DDoS protection plan" 9 | } 10 | }, 11 | "location": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Provide a location for the DDoS protection plan" 15 | } 16 | } 17 | }, 18 | "resources": [ 19 | { 20 | "type": "Microsoft.Network/ddosProtectionPlans", 21 | "apiVersion": "2019-02-01", 22 | "name": "[parameters('ddosName')]", 23 | "location": "[parameters('location')]", 24 | "properties": {} 25 | } 26 | ], 27 | "outputs": {} 28 | } -------------------------------------------------------------------------------- /eslzArm/resourceGroupTemplates/expressRouteCircuit.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/eslzArm/resourceGroupTemplates/expressRouteCircuit.json -------------------------------------------------------------------------------- /eslzArm/resourceGroupTemplates/userAssignedIdentity.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "location": { 6 | "type": "string", 7 | "defaultValue": "[resourceGroup().location]", 8 | "metadata": { 9 | "description": "location for the the resources to deploy." 10 | } 11 | }, 12 | "userAssignedIdentityName": { 13 | "type": "string", 14 | "defaultValue": "id-ama-prod", 15 | "metadata": { 16 | "description": "The name of the Managed Identity resource." 17 | } 18 | }, 19 | "userAssignedIdentityResourceGroup": { 20 | "type": "String", 21 | "metadata": { 22 | "description": "The name of the resource group where the Managed Identity resource will be created." 23 | } 24 | } 25 | }, 26 | "variables": {}, 27 | "resources": [ 28 | { 29 | "type": "Microsoft.Resources/deployments", 30 | "apiVersion": "2021-04-01", 31 | "name": "[parameters('userAssignedIdentityName')]", 32 | "properties": { 33 | "mode": "Incremental", 34 | "template": { 35 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 36 | "contentVersion": "1.0.0.0", 37 | "parameters": {}, 38 | "variables": {}, 39 | "resources": [ 40 | { 41 | "type": "Microsoft.ManagedIdentity/userAssignedIdentities", 42 | "name": "[parameters('userAssignedIdentityName')]", 43 | "apiVersion": "2018-11-30", 44 | "location": "[parameters('location')]" 45 | } 46 | ] 47 | } 48 | }, 49 | "resourceGroup": "[parameters('userAssignedIdentityResourceGroup')]" 50 | } 51 | ], 52 | "outputs": {} 53 | } -------------------------------------------------------------------------------- /eslzArm/subscriptionTemplates/azActivityDiagnostics.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "logAnalytics": { 6 | "type": "string" 7 | }, 8 | "logsEnabled": { 9 | "type": "string", 10 | "allowedValues": [ 11 | "True", 12 | "False" 13 | ], 14 | "defaultValue": "True" 15 | } 16 | }, 17 | "variables": {}, 18 | "resources": [ 19 | { 20 | "name": "subscriptionToLa", 21 | "type": "Microsoft.Insights/diagnosticSettings", 22 | "apiVersion": "2017-05-01-preview", 23 | "location": "Global", 24 | "properties": { 25 | "workspaceId": "[parameters('logAnalytics')]", 26 | "logs": [ 27 | { 28 | "category": "Administrative", 29 | "enabled": "[parameters('logsEnabled')]" 30 | }, 31 | { 32 | "category": "Security", 33 | "enabled": "[parameters('logsEnabled')]" 34 | }, 35 | { 36 | "category": "ServiceHealth", 37 | "enabled": "[parameters('logsEnabled')]" 38 | }, 39 | { 40 | "category": "Alert", 41 | "enabled": "[parameters('logsEnabled')]" 42 | }, 43 | { 44 | "category": "Recommendation", 45 | "enabled": "[parameters('logsEnabled')]" 46 | }, 47 | { 48 | "category": "Policy", 49 | "enabled": "[parameters('logsEnabled')]" 50 | }, 51 | { 52 | "category": "Autoscale", 53 | "enabled": "[parameters('logsEnabled')]" 54 | }, 55 | { 56 | "category": "ResourceHealth", 57 | "enabled": "[parameters('logsEnabled')]" 58 | } 59 | ] 60 | } 61 | } 62 | ], 63 | "outputs": {} 64 | } -------------------------------------------------------------------------------- /eslzArm/subscriptionTemplates/resourceGroup.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "rgName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Provide name for resource group" 9 | } 10 | }, 11 | "location": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Provide location for the resource group" 15 | } 16 | } 17 | }, 18 | "variables": {}, 19 | "resources": [ 20 | { 21 | "type": "Microsoft.Resources/resourceGroups", 22 | "apiVersion": "2020-10-01", 23 | "name": "[parameters('rgName')]", 24 | "location": "[parameters('location')]" 25 | } 26 | ], 27 | "outputs": {} 28 | } -------------------------------------------------------------------------------- /eslzArm/subscriptionTemplates/vpnGateway.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/eslzArm/subscriptionTemplates/vpnGateway.json -------------------------------------------------------------------------------- /examples/10-create-managementgroup.parameters.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "input": { 6 | "value": { 7 | "Name": "Tailspin", 8 | "DisplayName": "Tailspin", 9 | "ParentId": "/providers/Microsoft.Management/managementGroups/3fc1081d-6105-4e19-b60c-1ec1252cf560", 10 | "Type": "/providers/Microsoft.Management/managementGroups" 11 | } 12 | } 13 | } 14 | } -------------------------------------------------------------------------------- /examples/README.md: -------------------------------------------------------------------------------- 1 | # Example ARM templates for Enterprise-scale landing zones 2 | 3 | This isn't yet another example ARM template library. This folder contains **only** ARM templates for organizations to deploy platform resources using infrastructure-as-code. 4 | 5 | The following resources are in scope to illustrate how to build and operate the Azure platform: 6 | 7 | * Microsoft.Management/managementGroups 8 | * Microsoft.Management/managementGroups/subscriptions 9 | * Microsoft.Subscription/aliases 10 | * Microsoft.Authorization/policyDefinitions 11 | * Microsoft.Authorization/policySetDefinitions 12 | * Microsoft.Authorization/policyAssignments 13 | * Microsoft.Authorization/roleDefinitions 14 | * Microsoft.Authorization/roleAssignments 15 | 16 | Further; platform resource in the context of Enterprise-scale are deployed primarily to tenant and management group, and subscription scopes. 17 | 18 | How-to documentation to deploy these templates using a platform CI/CD pipeline AzOps: 19 | 20 | - [Deploy your own ARM templates with AzOps GitHub Actions](https://github.com/azure/azops/wiki/deployments) 21 | - [Enable Service Principal to create landing zones](https://github.com/Azure/Enterprise-Scale/wiki/Create-Landingzones#enable-service-principal-to-create-landing-zones) 22 | - [Landing zone creation](./landing-zones) 23 | -------------------------------------------------------------------------------- /examples/landing-zones/empty-subscription/emptySubscription.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "subscriptionAliasName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Provide a name for the alias. This name will also be the display name of the subscription." 9 | } 10 | }, 11 | "billingAccountId": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Provide the full resourceId of the MCA or the enrollment account id used for subscription creation." 15 | } 16 | }, 17 | "targetManagementGroup": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Provide the resourceId of the target management group to place the subscription." 21 | } 22 | } 23 | }, 24 | "resources": [ 25 | { 26 | "scope": "/", // routing the request to tenant root 27 | "name": "[parameters('subscriptionAliasName')]", 28 | "type": "Microsoft.Subscription/aliases", 29 | "apiVersion": "2020-09-01", 30 | "properties": { 31 | "workLoad": "Production", 32 | "displayName": "[parameters('subscriptionAliasName')]", 33 | "billingScope": "[parameters('billingAccountId')]", 34 | "managementGroupId": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('targetManagementGroup'))]" 35 | } 36 | } 37 | ], 38 | "outputs": {} 39 | } -------------------------------------------------------------------------------- /examples/management-groups/child-group/child-group.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "mgmtGroupName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Provide a unique name for the management group." 9 | } 10 | }, 11 | "parentMgmtGroupId": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Provide the name of the management group where you are invoking the deployment." 15 | } 16 | } 17 | }, 18 | "resources": [ 19 | { 20 | "scope": "/", // routing the request to the tenant root 21 | "type": "Microsoft.Management/managementGroups", 22 | "apiVersion": "2020-05-01", 23 | "name": "[parameters('mgmtGroupName')]", 24 | "properties": { 25 | "displayName": "[parameters('mgmtGroupName')]", 26 | "details": { 27 | "parent": { 28 | "id": "[if(not(empty(parameters('parentMgmtGroupId'))), concat('/providers/Microsoft.Management/managementGroups/', parameters('parentMgmtGroupId')), json('null'))]" 29 | } 30 | } 31 | } 32 | } 33 | ] 34 | } -------------------------------------------------------------------------------- /examples/policies/policy-definition/policy-definition.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "policyName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Provide name for the policyDefinition." 9 | } 10 | }, 11 | "policyDescription": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Provide a description for the policy." 15 | } 16 | }, 17 | "namePattern": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Provide naming pattern." 21 | } 22 | } 23 | }, 24 | "resources": [ 25 | { 26 | "type": "Microsoft.Authorization/policyDefinitions", 27 | "apiVersion": "2019-09-01", 28 | "name": "[parameters('policyName')]", 29 | "properties": { 30 | "description": "[parameters('policyDescription')]", 31 | "displayName": "[parameters('policyName')]", 32 | "policyRule": { 33 | "if": { 34 | "not": { 35 | "field": "name", 36 | "like": "[parameters('namePattern')]" 37 | } 38 | }, 39 | "then": { 40 | "effect": "deny" 41 | } 42 | } 43 | } 44 | } 45 | ] 46 | } -------------------------------------------------------------------------------- /src/Alz.Tools/Alz.Enums/Alz.Enums.psm1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/pwsh 2 | 3 | ############################################ 4 | # Custom enum data sets used within module # 5 | ############################################ 6 | 7 | enum PolicyDefinitionPropertiesMode { 8 | All 9 | Indexed 10 | } 11 | 12 | enum PolicyAssignmentPropertiesEnforcementMode { 13 | Default 14 | DoNotEnforce 15 | } 16 | 17 | enum PolicyAssignmentIdentityType { 18 | None 19 | SystemAssigned 20 | } 21 | 22 | enum PolicySetDefinitionPropertiesPolicyType { 23 | NotSpecified 24 | BuiltIn 25 | Custom 26 | Static 27 | } 28 | 29 | enum GetFileNameCaseModifier { 30 | ToString 31 | ToLower 32 | ToUpper 33 | } 34 | 35 | enum LineEndingTypes { 36 | Darwin 37 | Unix 38 | Win 39 | } 40 | 41 | enum ExportFormat { 42 | ArmResource 43 | ArmVariable 44 | Raw 45 | Jinja2 46 | Terraform 47 | Bicep 48 | } 49 | -------------------------------------------------------------------------------- /src/Alz.Tools/Alz.Tools.psm1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/pwsh 2 | 3 | $ErrorActionPreference = "Stop" 4 | # Set-StrictMode -Version 3.0 5 | 6 | ########################### 7 | # Import module functions # 8 | ########################### 9 | 10 | # Dot source all functions located in the module 11 | # Excludes tests and profiles 12 | 13 | $functions = @() 14 | $functions += Get-ChildItem -Path $PSScriptRoot\functions\*.ps1 -Exclude *.tests.ps1, *profile.ps1 -ErrorAction SilentlyContinue 15 | $functions.foreach({ 16 | try { 17 | Write-Verbose "Dot sourcing [$($_.FullName)]" 18 | . $_.FullName 19 | } 20 | catch { 21 | throw "Unable to dot source [$($_.FullName)]" 22 | } 23 | }) 24 | -------------------------------------------------------------------------------- /src/Alz.Tools/ProviderApiVersions.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Azure/Enterprise-Scale/7fbfb1cf83f09653102f748319ed9c8ee4a0ae38/src/Alz.Tools/ProviderApiVersions.zip -------------------------------------------------------------------------------- /src/Alz.Tools/scripts/Update-ProviderApiVersionsZip.ps1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/pwsh 2 | 3 | # 4 | # PowerShell Script 5 | # - Update the ProviderApiVersions.zip file stored in the module 6 | # 7 | # Requires an authentication session PowerShell session to Azure 8 | # and should be run from the same location as the script unless 9 | # the -Directory parameter is specified. 10 | # 11 | 12 | [CmdletBinding(SupportsShouldProcess)] 13 | param ( 14 | [Parameter()][String]$AlzToolsPath = "$PWD/src/Alz.Tools" 15 | ) 16 | 17 | $ErrorActionPreference = "Stop" 18 | 19 | # This script relies on a custom set of classes and functions 20 | # defined within the Alz.Tools PowerShell module. 21 | Import-Module $AlzToolsPath 22 | 23 | Write-Information "Updating ProviderApiVersions in module." -InformationAction Continue 24 | if ($PSCmdlet.ShouldProcess($AlzToolsPath)) { 25 | Invoke-UpdateCacheInModule($AlzToolsPath) 26 | } 27 | 28 | Write-Information "... Complete" -InformationAction Continue 29 | -------------------------------------------------------------------------------- /src/portal/release.json: -------------------------------------------------------------------------------- 1 | { 2 | "azureLandingZoneTemplateDetailsUri": "https://github.com/Azure/Enterprise-Scale/tree/2025-04-16", 3 | "templateUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2025-04-16/eslzArm/eslzArm.json", 4 | "templateUriBlob": "https://github.com/Azure/Enterprise-Scale/blob/2025-04-16/eslzArm/eslzArm.json", 5 | "uiFormDefinitionUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2025-04-16/eslzArm/eslz-portal.json" 6 | } 7 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Append-AppService-httpsonly", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "All", 9 | "displayName": "AppService append enable https only setting to enforce https setting.", 10 | "description": "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "App Service", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "defaultValue": "Append", 25 | "allowedValues": [ 26 | "Append", 27 | "Disabled" 28 | ], 29 | "metadata": { 30 | "displayName": "Effect", 31 | "description": "Enable or disable the execution of the policy" 32 | } 33 | } 34 | }, 35 | "policyRule": { 36 | "if": { 37 | "allOf": [ 38 | { 39 | "field": "type", 40 | "equals": "Microsoft.Web/sites" 41 | }, 42 | { 43 | "field": "Microsoft.Web/sites/httpsOnly", 44 | "notequals": true 45 | } 46 | ] 47 | }, 48 | "then": { 49 | "effect": "[[parameters('effect')]", 50 | "details": [ 51 | { 52 | "field": "Microsoft.Web/sites/httpsOnly", 53 | "value": true 54 | } 55 | ] 56 | } 57 | } 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Append-KV-SoftDelete", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "KeyVault SoftDelete should be enabled", 10 | "description": "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Key Vault", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": {}, 22 | "policyRule": { 23 | "if": { 24 | "anyOf": [ 25 | { 26 | "allOf": [ 27 | { 28 | "field": "type", 29 | "equals": "Microsoft.KeyVault/vaults" 30 | }, 31 | { 32 | "field": "Microsoft.KeyVault/vaults/enableSoftDelete", 33 | "notEquals": true 34 | } 35 | ] 36 | } 37 | ] 38 | }, 39 | "then": { 40 | "effect": "append", 41 | "details": [ 42 | { 43 | "field": "Microsoft.KeyVault/vaults/enableSoftDelete", 44 | "value": true 45 | } 46 | ] 47 | } 48 | } 49 | } 50 | } 51 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Audit-ServerFarms-UnusedResourcesCostOptimization", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "displayName": "Unused App Service plans driving cost should be avoided", 9 | "mode": "All", 10 | "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Policy definition as a cost control to reveal orphaned App Service plans that are driving cost.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Cost Optimization", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "metadata": { 25 | "displayName": "Effect", 26 | "description": "Enable or disable the execution of the policy" 27 | }, 28 | "allowedValues": [ 29 | "Audit", 30 | "Disabled" 31 | ], 32 | "defaultValue": "Audit" 33 | } 34 | }, 35 | "policyRule": { 36 | "if": { 37 | "allOf": [ 38 | { 39 | "field": "type", 40 | "equals": "Microsoft.Web/serverfarms" 41 | }, 42 | { 43 | "field": "Microsoft.Web/serverFarms/sku.tier", 44 | "notEquals": "Free" 45 | }, 46 | { 47 | "field": "Microsoft.Web/serverFarms/numberOfSites", 48 | "equals": 0 49 | } 50 | ] 51 | }, 52 | "then": { 53 | "effect": "[[parameters('effect')]" 54 | } 55 | } 56 | } 57 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AA-child-resources", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "No child resources in Automation Account", 10 | "description": "This policy denies the creation of child resources on the Automation Account", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Automation", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureUSGovernment" 18 | ] 19 | }, 20 | "parameters": { 21 | "effect": { 22 | "type": "String", 23 | "allowedValues": [ 24 | "Audit", 25 | "Deny", 26 | "Disabled" 27 | ], 28 | "defaultValue": "Deny", 29 | "metadata": { 30 | "displayName": "Effect", 31 | "description": "Enable or disable the execution of the policy" 32 | } 33 | } 34 | }, 35 | "policyRule": { 36 | "if": { 37 | "allOf": [ 38 | { 39 | "field": "type", 40 | "in": [ 41 | "Microsoft.Automation/automationAccounts/runbooks", 42 | "Microsoft.Automation/automationAccounts/variables", 43 | "Microsoft.Automation/automationAccounts/modules", 44 | "Microsoft.Automation/automationAccounts/credentials", 45 | "Microsoft.Automation/automationAccounts/connections", 46 | "Microsoft.Automation/automationAccounts/certificates" 47 | ] 48 | } 49 | ] 50 | }, 51 | "then": { 52 | "effect": "[[parameters('effect')]" 53 | } 54 | } 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP.AzureChinaCloud.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AFSPaasPublicIP", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Public network access should be disabled for Azure File Sync", 10 | "description": "Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Storage", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureChinaCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Deny", 29 | "Disabled" 30 | ], 31 | "defaultValue": "Audit" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.StorageSync/storageSyncServices" 40 | }, 41 | { 42 | "field": "Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy", 43 | "notEquals": "AllowVirtualNetworksOnly" 44 | } 45 | ] 46 | }, 47 | "then": { 48 | "effect": "[[parameters('effect')]" 49 | } 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AppGW-Without-WAF", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Application Gateway should be deployed with WAF enabled", 10 | "description": "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Network", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "allowedValues": [ 25 | "Audit", 26 | "Deny", 27 | "Disabled" 28 | ], 29 | "defaultValue": "Deny", 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "Enable or disable the execution of the policy" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.Network/applicationGateways" 42 | }, 43 | { 44 | "field": "Microsoft.Network/applicationGateways/sku.name", 45 | "notequals": "WAF_v2" 46 | } 47 | ] 48 | }, 49 | "then": { 50 | "effect": "[[parameters('effect')]" 51 | } 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AppServiceApiApp-http", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "API App should only be accessible over HTTPS", 10 | "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "App Service", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "defaultValue": "Deny", 25 | "allowedValues": [ 26 | "Audit", 27 | "Disabled", 28 | "Deny" 29 | ], 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "Enable or disable the execution of the policy" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.Web/sites" 42 | }, 43 | { 44 | "field": "kind", 45 | "like": "*api" 46 | }, 47 | { 48 | "field": "Microsoft.Web/sites/httpsOnly", 49 | "equals": "false" 50 | } 51 | ] 52 | }, 53 | "then": { 54 | "effect": "[[parameters('effect')]" 55 | } 56 | } 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AppServiceFunctionApp-http", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Function App should only be accessible over HTTPS", 10 | "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "App Service", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "defaultValue": "Deny", 25 | "allowedValues": [ 26 | "Audit", 27 | "Disabled", 28 | "Deny" 29 | ], 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "Enable or disable the execution of the policy" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.Web/sites" 42 | }, 43 | { 44 | "field": "kind", 45 | "like": "functionapp*" 46 | }, 47 | { 48 | "field": "Microsoft.Web/sites/httpsOnly", 49 | "equals": "false" 50 | } 51 | ] 52 | }, 53 | "then": { 54 | "effect": "[[parameters('effect')]" 55 | } 56 | } 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AppServiceWebApp-http", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Web Application should only be accessible over HTTPS", 10 | "description": "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "App Service", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "defaultValue": "Deny", 25 | "allowedValues": [ 26 | "Audit", 27 | "Disabled", 28 | "Deny" 29 | ], 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "Enable or disable the execution of the policy" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.Web/sites" 42 | }, 43 | { 44 | "field": "kind", 45 | "like": "app*" 46 | }, 47 | { 48 | "field": "Microsoft.Web/sites/httpsOnly", 49 | "equals": "false" 50 | } 51 | ] 52 | }, 53 | "then": { 54 | "effect": "[[parameters('effect')]" 55 | } 56 | } 57 | } 58 | } 59 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-AzFw-Without-Policy.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-AzFw-Without-Policy", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "All", 9 | "displayName": "Azure Firewall should have a default Firewall Policy", 10 | "description": "This policy denies the creation of Azure Firewall without a default Firewall Policy.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Network", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "allowedValues": [ 25 | "Audit", 26 | "Deny", 27 | "Disabled" 28 | ], 29 | "defaultValue": "Deny", 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "Enable or disable the execution of the policy" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.Network/azureFirewalls" 42 | }, 43 | { 44 | "field": "Microsoft.Network/azureFirewalls/firewallPolicy.id", 45 | "exists": "false" 46 | } 47 | ] 48 | }, 49 | "then": { 50 | "effect": "[[parameters('effect')]" 51 | } 52 | } 53 | } 54 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Databricks-NoPublicIp", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Deny public IPs for Databricks cluster", 10 | "description": "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Databricks", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Disabled", 29 | "Deny" 30 | ], 31 | "defaultValue": "Deny" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.Databricks/workspaces" 40 | }, 41 | { 42 | "field": "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value", 43 | "notEquals": true 44 | } 45 | ] 46 | }, 47 | "then": { 48 | "effect": "[[parameters('effect')]" 49 | } 50 | } 51 | } 52 | } 53 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Databricks-Sku", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Deny non-premium Databricks sku", 10 | "description": "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Databricks", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Disabled", 29 | "Deny" 30 | ], 31 | "defaultValue": "Deny" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.Databricks/workspaces" 40 | }, 41 | { 42 | "field": "Microsoft.DataBricks/workspaces/sku.name", 43 | "notEquals": "premium" 44 | } 45 | ] 46 | }, 47 | "then": { 48 | "effect": "[[parameters('effect')]" 49 | } 50 | } 51 | } 52 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Databricks-VirtualNetwork", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Deny Databricks workspaces without Vnet injection", 10 | "description": "Enforces the use of vnet injection for Databricks workspaces.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Databricks", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Disabled", 29 | "Deny" 30 | ], 31 | "defaultValue": "Deny" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.Databricks/workspaces" 40 | }, 41 | { 42 | "anyOf": [ 43 | { 44 | "field": "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value", 45 | "exists": false 46 | }, 47 | { 48 | "field": "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value", 49 | "exists": false 50 | }, 51 | { 52 | "field": "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value", 53 | "exists": false 54 | } 55 | ] 56 | } 57 | ] 58 | }, 59 | "then": { 60 | "effect": "[[parameters('effect')]" 61 | } 62 | } 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP.AzureChinaCloud.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-KeyVaultPaasPublicIP", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Preview: Azure Key Vault should disable public network access", 10 | "description": "Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.", 11 | "metadata": { 12 | "version": "2.0.0-preview", 13 | "category": "Key Vault", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "preview": true, 16 | "alzCloudEnvironments": [ 17 | "AzureChinaCloud" 18 | ] 19 | }, 20 | "parameters": { 21 | "effect": { 22 | "type": "String", 23 | "metadata": { 24 | "displayName": "Effect", 25 | "description": "Enable or disable the execution of the policy" 26 | }, 27 | "allowedValues": [ 28 | "Audit", 29 | "Deny", 30 | "Disabled" 31 | ], 32 | "defaultValue": "Audit" 33 | } 34 | }, 35 | "policyRule": { 36 | "if": { 37 | "allOf": [ 38 | { 39 | "field": "type", 40 | "equals": "Microsoft.KeyVault/vaults" 41 | }, 42 | { 43 | "not": { 44 | "field": "Microsoft.KeyVault/vaults/createMode", 45 | "equals": "recover" 46 | } 47 | }, 48 | { 49 | "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction", 50 | "notEquals": "Deny" 51 | } 52 | ] 53 | }, 54 | "then": { 55 | "effect": "[[parameters('effect')]" 56 | } 57 | } 58 | } 59 | } 60 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-MachineLearning-Aks", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Deny AKS cluster creation in Azure Machine Learning", 10 | "description": "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Machine Learning", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Disabled", 29 | "Deny" 30 | ], 31 | "defaultValue": "Deny" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.MachineLearningServices/workspaces/computes" 40 | }, 41 | { 42 | "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", 43 | "equals": "AKS" 44 | }, 45 | { 46 | "anyOf": [ 47 | { 48 | "field": "Microsoft.MachineLearningServices/workspaces/computes/resourceId", 49 | "exists": false 50 | }, 51 | { 52 | "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]", 53 | "equals": true 54 | } 55 | ] 56 | } 57 | ] 58 | }, 59 | "then": { 60 | "effect": "[[parameters('effect')]" 61 | } 62 | } 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-MachineLearning-Compute-SubnetId", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances", 10 | "description": "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Machine Learning", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Disabled", 29 | "Deny" 30 | ], 31 | "defaultValue": "Deny" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.MachineLearningServices/workspaces/computes" 40 | }, 41 | { 42 | "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", 43 | "in": [ 44 | "AmlCompute", 45 | "ComputeInstance" 46 | ] 47 | }, 48 | { 49 | "anyOf": [ 50 | { 51 | "field": "Microsoft.MachineLearningServices/workspaces/computes/subnet.id", 52 | "exists": false 53 | }, 54 | { 55 | "value": "[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]", 56 | "equals": true 57 | } 58 | ] 59 | } 60 | ] 61 | }, 62 | "then": { 63 | "effect": "[[parameters('effect')]" 64 | } 65 | } 66 | } 67 | } 68 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "All", 9 | "displayName": "Deny public access of Azure Machine Learning clusters via SSH", 10 | "description": "Deny public access of Azure Machine Learning clusters via SSH.", 11 | "metadata": { 12 | "version": "1.1.0", 13 | "category": "Machine Learning", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Disabled", 29 | "Deny" 30 | ], 31 | "defaultValue": "Deny" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.MachineLearningServices/workspaces/computes" 40 | }, 41 | { 42 | "field": "Microsoft.MachineLearningServices/workspaces/computes/computeType", 43 | "equals": "AmlCompute" 44 | }, 45 | { 46 | "anyOf": [ 47 | { 48 | "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", 49 | "exists": false 50 | }, 51 | { 52 | "field": "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess", 53 | "notEquals": "Disabled" 54 | } 55 | ] 56 | } 57 | ] 58 | }, 59 | "then": { 60 | "effect": "[[parameters('effect')]" 61 | } 62 | } 63 | } 64 | } 65 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-MachineLearning-HbiWorkspace", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Enforces high business impact Azure Machine Learning Workspaces", 10 | "description": "Enforces high business impact Azure Machine Learning workspaces.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Machine Learning", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Disabled", 29 | "Deny" 30 | ], 31 | "defaultValue": "Deny" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.MachineLearningServices/workspaces" 40 | }, 41 | { 42 | "anyOf": [ 43 | { 44 | "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", 45 | "exists": false 46 | }, 47 | { 48 | "field": "Microsoft.MachineLearningServices/workspaces/hbiWorkspace", 49 | "notEquals": true 50 | } 51 | ] 52 | } 53 | ] 54 | }, 55 | "then": { 56 | "effect": "[[parameters('effect')]" 57 | } 58 | } 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-MachineLearning-PublicAccessWhenBehindVnet", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Deny public access behind vnet to Azure Machine Learning workspace", 10 | "description": "Deny public access behind vnet to Azure Machine Learning workspaces.", 11 | "metadata": { 12 | "version": "1.0.1", 13 | "category": "Machine Learning", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud" 17 | ] 18 | }, 19 | "parameters": { 20 | "effect": { 21 | "type": "String", 22 | "metadata": { 23 | "displayName": "Effect", 24 | "description": "Enable or disable the execution of the policy" 25 | }, 26 | "allowedValues": [ 27 | "Audit", 28 | "Disabled", 29 | "Deny" 30 | ], 31 | "defaultValue": "Deny" 32 | } 33 | }, 34 | "policyRule": { 35 | "if": { 36 | "allOf": [ 37 | { 38 | "field": "type", 39 | "equals": "Microsoft.MachineLearningServices/workspaces" 40 | }, 41 | { 42 | "anyOf": [ 43 | { 44 | "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", 45 | "exists": false 46 | }, 47 | { 48 | "field": "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet", 49 | "notEquals": false 50 | } 51 | ] 52 | } 53 | ] 54 | }, 55 | "then": { 56 | "effect": "[[parameters('effect')]" 57 | } 58 | } 59 | } 60 | } 61 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-MachineLearning-PublicNetworkAccess", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "[Deprecated] Azure Machine Learning should have disabled public network access", 10 | "description": "Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html", 11 | "metadata": { 12 | "version": "1.0.0-deprecated", 13 | "category": "Machine Learning", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "deprecated": true, 16 | "supersededBy": "438c38d2-3772-465a-a9cc-7a6666a275ce", 17 | "alzCloudEnvironments": [ 18 | "AzureCloud" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "metadata": { 25 | "displayName": "Effect", 26 | "description": "Enable or disable the execution of the policy" 27 | }, 28 | "allowedValues": [ 29 | "Audit", 30 | "Disabled", 31 | "Deny" 32 | ], 33 | "defaultValue": "Deny" 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.MachineLearningServices/workspaces" 42 | }, 43 | { 44 | "field": "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess", 45 | "notEquals": "Disabled" 46 | } 47 | ] 48 | }, 49 | "then": { 50 | "effect": "[[parameters('effect')]" 51 | } 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Private-DNS-Zones", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Deny the creation of private DNS", 10 | "description": "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Network", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "allowedValues": [ 25 | "Audit", 26 | "Deny", 27 | "Disabled" 28 | ], 29 | "defaultValue": "Deny", 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "Enable or disable the execution of the policy" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "field": "type", 39 | "equals": "Microsoft.Network/privateDnsZones" 40 | }, 41 | "then": { 42 | "effect": "[[parameters('effect')]" 43 | } 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-PublicEndpoint-MariaDB", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "[Deprecated] Public network access should be disabled for MariaDB", 10 | "description": "This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html", 11 | "metadata": { 12 | "version": "1.0.0-deprecated", 13 | "category": "SQL", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "deprecated": true, 16 | "supersededBy": "fdccbe47-f3e3-4213-ad5d-ea459b2fa077", 17 | "alzCloudEnvironments": [ 18 | "AzureCloud", 19 | "AzureChinaCloud", 20 | "AzureUSGovernment" 21 | ] 22 | }, 23 | "parameters": { 24 | "effect": { 25 | "type": "String", 26 | "allowedValues": [ 27 | "Audit", 28 | "Deny", 29 | "Disabled" 30 | ], 31 | "defaultValue": "Deny", 32 | "metadata": { 33 | "displayName": "Effect", 34 | "description": "Enable or disable the execution of the policy" 35 | } 36 | } 37 | }, 38 | "policyRule": { 39 | "if": { 40 | "allOf": [ 41 | { 42 | "field": "type", 43 | "equals": "Microsoft.DBforMariaDB/servers" 44 | }, 45 | { 46 | "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess", 47 | "notequals": "Disabled" 48 | } 49 | ] 50 | }, 51 | "then": { 52 | "effect": "[[parameters('effect')]" 53 | } 54 | } 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-PublicIP.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-PublicIP", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "[Deprecated] Deny the creation of public IP", 10 | "description": "[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.", 11 | "metadata": { 12 | "deprecated": true, 13 | "supersededBy": "6c112d4e-5bc7-47ae-a041-ea2d9dccd749", 14 | "version": "1.0.0-deprecated", 15 | "category": "Network", 16 | "source": "https://github.com/Azure/Enterprise-Scale/", 17 | "alzCloudEnvironments": [ 18 | "AzureCloud", 19 | "AzureChinaCloud", 20 | "AzureUSGovernment" 21 | ] 22 | }, 23 | "parameters": { 24 | "effect": { 25 | "type": "String", 26 | "allowedValues": [ 27 | "Audit", 28 | "Deny", 29 | "Disabled" 30 | ], 31 | "defaultValue": "Deny", 32 | "metadata": { 33 | "displayName": "Effect", 34 | "description": "Enable or disable the execution of the policy" 35 | } 36 | } 37 | }, 38 | "policyRule": { 39 | "if": { 40 | "field": "type", 41 | "equals": "Microsoft.Network/publicIPAddresses" 42 | }, 43 | "then": { 44 | "effect": "[[parameters('effect')]" 45 | } 46 | } 47 | } 48 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Storage-NetworkAclsVirtualNetworkRules", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "All", 9 | "displayName": "Virtual network rules should be restricted for Storage Accounts", 10 | "description": "Azure Storage accounts should restrict the virtual network service-level network ACLs. Enforce this for increased data exfiltration protection.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Storage", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "allowedValues": [ 25 | "Audit", 26 | "Deny", 27 | "Disabled" 28 | ], 29 | "defaultValue": "Deny", 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "Enable or disable the execution of the policy" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.Storage/storageAccounts" 42 | }, 43 | { 44 | "count": { 45 | "field": "Microsoft.Storage/storageAccounts/networkAcls.virtualNetworkRules[*]" 46 | }, 47 | "greater": 0 48 | } 49 | ] 50 | }, 51 | "then": { 52 | "effect": "[[parameters('effect')]" 53 | } 54 | } 55 | } 56 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-Storage-SFTP", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "Storage Accounts with SFTP enabled should be denied", 10 | "description": "This policy denies the creation of Storage Accounts with SFTP enabled for Blob Storage.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Storage", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "defaultValue": "Deny", 25 | "allowedValues": [ 26 | "Audit", 27 | "Deny", 28 | "Disabled" 29 | ], 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "The effect determines what happens when the policy rule is evaluated to match" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.Storage/storageAccounts" 42 | }, 43 | { 44 | "field": "Microsoft.Storage/storageAccounts/isSftpEnabled", 45 | "equals": "true" 46 | } 47 | ] 48 | }, 49 | "then": { 50 | "effect": "[[parameters('effect')]" 51 | } 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-StorageAccount-CustomDomain.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-StorageAccount-CustomDomain", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "All", 9 | "displayName": "Storage Accounts with custom domains assigned should be denied", 10 | "description": "This policy denies the creation of Storage Accounts with custom domains assigned as communication cannot be encrypted, and always uses HTTP.", 11 | "metadata": { 12 | "version": "1.0.0", 13 | "category": "Storage", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "defaultValue": "Deny", 25 | "allowedValues": [ 26 | "Audit", 27 | "Deny", 28 | "Disabled" 29 | ], 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "The effect determines what happens when the policy rule is evaluated to match" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "allOf": [ 39 | { 40 | "field": "type", 41 | "equals": "Microsoft.Storage/storageAccounts" 42 | }, 43 | { 44 | "anyOf": [ 45 | { 46 | "field": "Microsoft.Storage/storageAccounts/customDomain", 47 | "exists": "true" 48 | }, 49 | { 50 | "field": "Microsoft.Storage/storageAccounts/customDomain.useSubDomainName", 51 | "equals": "true" 52 | } 53 | ] 54 | } 55 | ] 56 | }, 57 | "then": { 58 | "effect": "[[parameters('effect')]" 59 | } 60 | } 61 | } 62 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Deny-VNet-Peering", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "All", 9 | "displayName": "Deny vNet peering ", 10 | "description": "This policy denies the creation of vNet Peerings under the assigned scope.", 11 | "metadata": { 12 | "version": "1.0.1", 13 | "category": "Network", 14 | "source": "https://github.com/Azure/Enterprise-Scale/", 15 | "alzCloudEnvironments": [ 16 | "AzureCloud", 17 | "AzureChinaCloud", 18 | "AzureUSGovernment" 19 | ] 20 | }, 21 | "parameters": { 22 | "effect": { 23 | "type": "String", 24 | "allowedValues": [ 25 | "Audit", 26 | "Deny", 27 | "Disabled" 28 | ], 29 | "defaultValue": "Deny", 30 | "metadata": { 31 | "displayName": "Effect", 32 | "description": "Enable or disable the execution of the policy" 33 | } 34 | } 35 | }, 36 | "policyRule": { 37 | "if": { 38 | "field": "type", 39 | "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" 40 | }, 41 | "then": { 42 | "effect": "[[parameters('effect')]" 43 | } 44 | } 45 | } 46 | } 47 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "DenyAction-ActivityLogs", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "DenyAction implementation on Activity Logs", 10 | "description": "This is a DenyAction implementation policy on Activity Logs.", 11 | "metadata": { 12 | "deprecated": false, 13 | "version": "1.0.0", 14 | "category": "Monitoring", 15 | "source": "https://github.com/Azure/Enterprise-Scale/", 16 | "alzCloudEnvironments": [ 17 | "AzureCloud", 18 | "AzureChinaCloud", 19 | "AzureUSGovernment" 20 | ] 21 | }, 22 | "parameters": {}, 23 | "policyRule": { 24 | "if": { 25 | "field": "type", 26 | "equals": "Microsoft.Resources/subscriptions/providers/diagnosticSettings" 27 | }, 28 | "then": { 29 | "effect": "denyAction", 30 | "details": { 31 | "actionNames": [ 32 | "delete" 33 | ] 34 | } 35 | } 36 | } 37 | } 38 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "DenyAction-DiagnosticLogs", 3 | "type": "Microsoft.Authorization/policyDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "mode": "Indexed", 9 | "displayName": "DenyAction implementation on Diagnostic Logs.", 10 | "description": "DenyAction implementation on Diagnostic Logs.", 11 | "metadata": { 12 | "deprecated": false, 13 | "version": "1.0.0", 14 | "category": "Monitoring", 15 | "source": "https://github.com/Azure/Enterprise-Scale/", 16 | "alzCloudEnvironments": [ 17 | "AzureCloud", 18 | "AzureChinaCloud", 19 | "AzureUSGovernment" 20 | ] 21 | }, 22 | "parameters": {}, 23 | "policyRule": { 24 | "if": { 25 | "field": "type", 26 | "equals": "Microsoft.Insights/diagnosticSettings" 27 | }, 28 | "then": { 29 | "effect": "denyAction", 30 | "details": { 31 | "actionNames": [ 32 | "delete" 33 | ] 34 | } 35 | } 36 | } 37 | } 38 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "DenyAction-DeleteProtection", 3 | "type": "Microsoft.Authorization/policySetDefinitions", 4 | "apiVersion": "2021-06-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings", 9 | "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.", 10 | "metadata": { 11 | "version": "1.1.0", 12 | "category": "Monitoring", 13 | "source": "https://github.com/Azure/Enterprise-Scale/", 14 | "alzCloudEnvironments": [ 15 | "AzureCloud", 16 | "AzureChinaCloud", 17 | "AzureUSGovernment" 18 | ] 19 | }, 20 | "parameters": {}, 21 | "policyDefinitions": [ 22 | { 23 | "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings", 24 | "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs", 25 | "definitionVersion": "1.*.*", 26 | "parameters": {}, 27 | "groupNames": [] 28 | }, 29 | { 30 | "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings", 31 | "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs", 32 | "definitionVersion": "1.*.*", 33 | "parameters": {}, 34 | "groupNames": [] 35 | } 36 | ], 37 | "policyDefinitionGroups": null 38 | } 39 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-ALZ-Decomm", 3 | "type": "Microsoft.Authorization/policySetDefinitions", 4 | "apiVersion": "2023-04-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "displayName": "Enforce policies in the Decommissioned Landing Zone", 9 | "description": "Enforce policies in the Decommissioned Landing Zone.", 10 | "metadata": { 11 | "version": "1.1.0", 12 | "category": "Decommissioned", 13 | "source": "https://github.com/Azure/Enterprise-Scale/", 14 | "alzCloudEnvironments": [ 15 | "AzureCloud", 16 | "AzureChinaCloud", 17 | "AzureUSGovernment" 18 | ] 19 | }, 20 | "parameters": { 21 | "listOfResourceTypesAllowed":{ 22 | "type": "Array", 23 | "defaultValue": [], 24 | "metadata": { 25 | "displayName": "Allowed resource types in the Decommissioned landing zone", 26 | "description": "Allowed resource types in the Decommissioned landing zone, default is none.", 27 | "strongType": "resourceTypes" 28 | } 29 | } 30 | }, 31 | "policyDefinitions": [ 32 | { 33 | "policyDefinitionReferenceId": "DecomDenyResources", 34 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", 35 | "definitionVersion": "1.*.*", 36 | "parameters": { 37 | "listOfResourceTypesAllowed": { 38 | "value": "[[parameters('listOfResourceTypesAllowed')]" 39 | } 40 | }, 41 | "groupNames": [] 42 | }, 43 | { 44 | "policyDefinitionReferenceId": "DecomShutdownMachines", 45 | "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown", 46 | "definitionVersion": "1.*.*", 47 | "parameters": {}, 48 | "groupNames": [] 49 | } 50 | ], 51 | "policyDefinitionGroups": null 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-Guardrails-ContainerInstance", 3 | "type": "Microsoft.Authorization/policySetDefinitions", 4 | "apiVersion": "2023-04-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "displayName": "Enforce recommended guardrails for Container Instance", 9 | "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", 10 | "metadata": { 11 | "version": "1.1.0", 12 | "category": "Container Instances", 13 | "source": "https://github.com/Azure/Enterprise-Scale/", 14 | "alzCloudEnvironments": [ 15 | "AzureCloud", 16 | "AzureChinaCloud", 17 | "AzureUSGovernment" 18 | ] 19 | }, 20 | "parameters": { 21 | "containerInstanceVnet": { 22 | "type": "string", 23 | "defaultValue": "Deny", 24 | "allowedValues": [ 25 | "Audit", 26 | "Deny", 27 | "Disabled" 28 | ] 29 | } 30 | }, 31 | "policyDefinitions": [ 32 | { 33 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", 34 | "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", 35 | "definitionVersion": "2.*.*", 36 | "groupNames": [], 37 | "parameters": { 38 | "effect": { 39 | "value": "[[parameters('containerInstanceVnet')]" 40 | } 41 | } 42 | } 43 | ], 44 | "policyDefinitionGroups": null 45 | } 46 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "Enforce-Guardrails-PostgreSQL", 3 | "type": "Microsoft.Authorization/policySetDefinitions", 4 | "apiVersion": "2023-04-01", 5 | "scope": null, 6 | "properties": { 7 | "policyType": "Custom", 8 | "displayName": "Enforce recommended guardrails for PostgreSQL", 9 | "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", 10 | "metadata": { 11 | "version": "1.1.0", 12 | "category": "PostgreSQL", 13 | "source": "https://github.com/Azure/Enterprise-Scale/", 14 | "alzCloudEnvironments": [ 15 | "AzureCloud", 16 | "AzureChinaCloud", 17 | "AzureUSGovernment" 18 | ] 19 | }, 20 | "parameters": { 21 | "postgreSqlAdvThreatProtection": { 22 | "type": "string", 23 | "defaultValue": "DeployIfNotExists", 24 | "allowedValues": [ 25 | "DeployIfNotExists", 26 | "Disabled" 27 | ] 28 | } 29 | }, 30 | "policyDefinitions": [ 31 | { 32 | "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", 33 | "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", 34 | "definitionVersion": "1.*.*", 35 | "groupNames": [], 36 | "parameters": { 37 | "effect": { 38 | "value": "[[parameters('postgreSqlAdvThreatProtection')]" 39 | } 40 | } 41 | } 42 | ], 43 | "policyDefinitionGroups": null 44 | } 45 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/roleDefinitions/Application-Owners.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "c9a07a05-a1fc-53fe-a565-5eed25597c03", 3 | "type": "Microsoft.Authorization/roleDefinitions", 4 | "apiVersion": "2022-04-01", 5 | "properties": { 6 | "roleName": "Application-Owners", 7 | "description": "Contributor role granted for application/operations team at resource group level", 8 | "type": "customRole", 9 | "permissions": [ 10 | { 11 | "actions": [ 12 | "*" 13 | ], 14 | "notActions": [ 15 | "Microsoft.Authorization/*/write", 16 | "Microsoft.Network/publicIPAddresses/write", 17 | "Microsoft.Network/virtualNetworks/write", 18 | "Microsoft.KeyVault/locations/deletedVaults/purge/action" 19 | ], 20 | "dataActions": [], 21 | "notDataActions": [] 22 | } 23 | ], 24 | "assignableScopes": [ 25 | "/providers/Microsoft.Management/managementGroups/contoso" 26 | ] 27 | } 28 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/roleDefinitions/Network-Management.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "dc726155-3983-5405-b446-9bb27b94e02c", 3 | "type": "Microsoft.Authorization/roleDefinitions", 4 | "apiVersion": "2022-04-01", 5 | "properties": { 6 | "roleName": "Network-Management", 7 | "description": "Platform-wide global connectivity management: virtual networks, UDRs, NSGs, NVAs, VPN, Azure ExpressRoute, and others", 8 | "type": "customRole", 9 | "permissions": [ 10 | { 11 | "actions": [ 12 | "*/read", 13 | "Microsoft.Network/*", 14 | "Microsoft.Resources/deployments/*", 15 | "Microsoft.Support/*" 16 | ], 17 | "notActions": [], 18 | "dataActions": [], 19 | "notDataActions": [] 20 | } 21 | ], 22 | "assignableScopes": [ 23 | "/providers/Microsoft.Management/managementGroups/contoso" 24 | ] 25 | } 26 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/roleDefinitions/OssDb-Owners.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "6fca939a-1b08-420b-affd-3d3061ecceb2", 3 | "type": "Microsoft.Authorization/roleDefinitions", 4 | "apiVersion": "2022-04-01", 5 | "properties": { 6 | "roleName": "OssDb-Owners", 7 | "description": "Platform-wide Open Source Database Owners: PostgreSQL, MySql", 8 | "type": "customRole", 9 | "permissions": [ 10 | { 11 | "actions": [ 12 | "Microsoft.Authorization/*/read", 13 | "Microsoft.Insights/alertRules/*", 14 | "Microsoft.Resources/deployments/*", 15 | "Microsoft.Resources/subscriptions/resourceGroups/read", 16 | "Microsoft.DBforMySQL/*", 17 | "Microsoft.DBforPostgreSQL/*", 18 | "Microsoft.DBforMariaDB/*" 19 | ], 20 | "notActions": [], 21 | "dataActions": [], 22 | "notDataActions": [] 23 | } 24 | ], 25 | "assignableScopes": [ 26 | "/providers/Microsoft.Management/managementGroups/contoso" 27 | ] 28 | } 29 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/roleDefinitions/Security-Operations.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "d3584a79-4f0d-5980-aa3c-7a76ba783b76", 3 | "type": "Microsoft.Authorization/roleDefinitions", 4 | "apiVersion": "2022-04-01", 5 | "properties": { 6 | "roleName": "Security-Operations", 7 | "description": "Security Administrator role with a horizontal view across the entire Azure estate and the Azure Key Vault purge policy.", 8 | "type": "customRole", 9 | "permissions": [ 10 | { 11 | "actions": [ 12 | "*/read", 13 | "*/register/action", 14 | "Microsoft.KeyVault/locations/deletedVaults/purge/action", 15 | "Microsoft.PolicyInsights/*", 16 | "Microsoft.Authorization/policyAssignments/*", 17 | "Microsoft.Authorization/policyDefinitions/*", 18 | "Microsoft.Authorization/policyExemptions/*", 19 | "Microsoft.Authorization/policySetDefinitions/*", 20 | "Microsoft.Insights/alertRules/*", 21 | "Microsoft.Resources/deployments/*", 22 | "Microsoft.Security/*", 23 | "Microsoft.Support/*" 24 | ], 25 | "notActions": [], 26 | "dataActions": [], 27 | "notDataActions": [] 28 | } 29 | ], 30 | "assignableScopes": [ 31 | "/providers/Microsoft.Management/managementGroups/contoso" 32 | ] 33 | } 34 | } -------------------------------------------------------------------------------- /src/resources/Microsoft.Authorization/roleDefinitions/Subscription-Owner.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "402344ce-48c4-5ac1-9320-16726050f964", 3 | "type": "Microsoft.Authorization/roleDefinitions", 4 | "apiVersion": "2022-04-01", 5 | "properties": { 6 | "roleName": "Subscription-Owner", 7 | "description": "Delegated role for subscription owner generated from subscription Owner role", 8 | "type": "customRole", 9 | "permissions": [ 10 | { 11 | "actions": [ 12 | "*" 13 | ], 14 | "notActions": [ 15 | "Microsoft.Authorization/*/write", 16 | "Microsoft.Network/vpnGateways/*", 17 | "Microsoft.Network/expressRouteCircuits/*", 18 | "Microsoft.Network/routeTables/write", 19 | "Microsoft.Network/vpnSites/*" 20 | ], 21 | "dataActions": [], 22 | "notDataActions": [] 23 | } 24 | ], 25 | "assignableScopes": [ 26 | "/providers/Microsoft.Management/managementGroups/contoso" 27 | ] 28 | } 29 | } -------------------------------------------------------------------------------- /src/scripts/Invoke-ActionRemoveOrphanedRBAC.ps1: -------------------------------------------------------------------------------- 1 | #!/usr/bin/pwsh 2 | 3 | # 4 | # PowerShell Script 5 | # - Remove orphaned role assignments from the specified Subscriptions 6 | # 7 | 8 | [CmdletBinding(SupportsShouldProcess)] 9 | param ( 10 | [Parameter()][String]$AlzToolsPath = "$PWD/src/Alz.Tools", 11 | [Parameter()][String]$SubscriptionConfigPath = "$($env:TEMP_SUBSCRIPTIONS_JSON_PATH)", 12 | [Parameter()][String[]]$SubscriptionIds 13 | ) 14 | 15 | $ErrorActionPreference = "Stop" 16 | 17 | # Save the current $InformationPreference value and set to continue 18 | $InitialInformationPreference = $InformationPreference 19 | $InformationPreference = 'Continue' 20 | 21 | # Load the Subscription configuration from file if SubscriptionIds IsNullOrEmpty 22 | if ([String]::IsNullOrEmpty($SubscriptionIds)) { 23 | Write-Information "==> Loading subscription aliases from : $SubscriptionConfigPath" 24 | $subscriptions = Get-Content -Path $SubscriptionConfigPath | ConvertFrom-Json 25 | $SubscriptionIds = $subscriptions.properties.subscriptionId 26 | } 27 | 28 | # This script relies on a custom set of classes and functions 29 | # defined within the Alz.Tools PowerShell module. 30 | Write-Information "==> Import Alz.Tools PowerShell module..." 31 | Import-Module $AlzToolsPath 32 | 33 | Write-Information "==> Process subscriptions to remove orphaned role assignments..." 34 | Invoke-RemoveOrphanedRoleAssignment -SubscriptionId $subscriptionIds -WhatIf:$WhatIfPreference 35 | 36 | # Revert InformationPreference to original value 37 | $InformationPreference = $InitialInformationPreference 38 | -------------------------------------------------------------------------------- /src/templates/roles.bicep: -------------------------------------------------------------------------------- 1 | targetScope = 'managementGroup' 2 | 3 | // Extract the environment name to dynamically determine which policies to deploy. 4 | var cloudEnv = environment().name 5 | 6 | // The following var contains lists of files containing Role Definition resources to load, grouped by compatibility with Cloud. 7 | var loadRoleDefinitions = { 8 | All: [ 9 | loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Application-Owners.json') 10 | loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Network-Management.json') 11 | loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Security-Operations.json') 12 | loadJsonContent('../resources/Microsoft.Authorization/roleDefinitions/Subscription-Owner.json') 13 | ] 14 | AzureCloud: [] 15 | AzureChinaCloud: [] 16 | AzureUSGovernment: [] 17 | } 18 | 19 | // The following var is used to compile the required Role Definitions into a single object 20 | var roleDefinitionsByCloudType = { 21 | All: loadRoleDefinitions.All 22 | AzureCloud: loadRoleDefinitions.AzureCloud 23 | AzureChinaCloud: loadRoleDefinitions.AzureChinaCloud 24 | AzureUSGovernment: loadRoleDefinitions.AzureUSGovernment 25 | } 26 | 27 | // The following var is used to extract the Role Definitions into a single list for deployment 28 | // This will contain all Role Definitions classified as available for All cloud environments, and those for the current cloud environment 29 | var roleDefinitions = concat(roleDefinitionsByCloudType.All, roleDefinitionsByCloudType[cloudEnv]) 30 | 31 | // Create the Role Definitions as needed for the target cloud environment 32 | resource RoleDefinitions 'Microsoft.Authorization/roleDefinitions@2022-04-01' = [for role in roleDefinitions: { 33 | name: guid(role.properties.roleName, managementGroup().name) 34 | properties: { 35 | roleName: '[${managementGroup().name}] ${role.properties.roleName}' 36 | description: role.properties.description 37 | type: role.properties.type 38 | permissions: role.properties.permissions 39 | assignableScopes: [ 40 | managementGroup().id 41 | ] 42 | } 43 | }] 44 | -------------------------------------------------------------------------------- /tests/utils/Generic.Utils.psm1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Generates a random string of a given length. 4 | .DESCRIPTION 5 | Generates a random string of a given length. 6 | .PARAMETER Length 7 | The length of the random string to generate. 8 | .EXAMPLE 9 | $randomString = GenerateRandomString 10 | #> 11 | function GenerateRandomString { 12 | param ( 13 | [Parameter()] 14 | [ValidateRange(1, [ushort]::MaxValue)] 15 | [ushort]$Length = 15 16 | ) 17 | 18 | $TokenSet = @{ 19 | L = [Char[]]'abcdefghijklmnopqrstuvwxyz' 20 | N = [Char[]]'0123456789' 21 | } 22 | $Lower = Get-Random -Count 15 -InputObject $TokenSet.L 23 | $Number = Get-Random -Count 10 -InputObject $TokenSet.N 24 | $StringSet = $Lower + $Number 25 | $RandomString = (Get-Random -Count $Length -InputObject $StringSet) -join '' 26 | 27 | return $RandomString 28 | } 29 | 30 | function GeneratePasswordString { 31 | param ( 32 | [Parameter()] 33 | [ValidateRange(1, [ushort]::MaxValue)] 34 | [ushort]$Length = 15 35 | ) 36 | 37 | $TokenSet = @{ 38 | U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 39 | L = [Char[]]'abcdefghijklmnopqrstuvwxyz' 40 | N = [Char[]]'0123456789' 41 | S = [Char[]]'!"#$%&''()*+,-./:;<=>?@[\]^_`{|}~' 42 | } 43 | 44 | $Upper = Get-Random -Count 5 -InputObject $TokenSet.U 45 | $Lower = Get-Random -Count 5 -InputObject $TokenSet.L 46 | $Number = Get-Random -Count 5 -InputObject $TokenSet.N 47 | $Special = Get-Random -Count 5 -InputObject $TokenSet.S 48 | 49 | $StringSet = $Upper + $Lower + $Number + $Special 50 | $RandomString = (Get-Random -Count $Length -InputObject $StringSet) -join '' 51 | 52 | return $RandomString 53 | } -------------------------------------------------------------------------------- /utils/policyTesting/Install-PolicySetDefinitions.ps1: -------------------------------------------------------------------------------- 1 | param( 2 | $managementGroupId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", 3 | $policySetDefinitionFolderPath = "./src/resources/Microsoft.Authorization/policySetDefinitions", 4 | $policySetFileName = "Deploy-Private-DNS-Zones.json", 5 | $uninstall = $false 6 | ) 7 | 8 | $policySetDefinition = Get-Content -Raw "$policySetDefinitionFolderPath/$policySetFileName" 9 | $policySetDefinition = $policySetDefinition.Replace("[[", "[") 10 | $policySetDefinitionObject = ConvertFrom-Json $policySetDefinition 11 | $apiVersion = $policySetDefinitionObject.apiVersion 12 | $policySetDefinitionName = $policySetDefinitionObject.name 13 | 14 | $policySetDefinitionFinal = @{ 15 | properties = $policySetDefinitionObject.properties 16 | } 17 | 18 | $policySetDefinitionFinalJson = ConvertTo-Json $policySetDefinitionFinal -Depth 100 19 | 20 | $uri = "/providers/Microsoft.Management/managementGroups/$($managementGroupId)/providers/Microsoft.Authorization/policySetDefinitions/$($policySetDefinitionName)?api-version=$($apiVersion)" 21 | 22 | if($uninstall) { 23 | Invoke-AzRestMethod ` 24 | -Method DELETE ` 25 | -Path $uri 26 | return 27 | } 28 | 29 | Invoke-AzRestMethod ` 30 | -Method PUT ` 31 | -Path $uri ` 32 | -Payload $policySetDefinitionFinalJson 33 | -------------------------------------------------------------------------------- /workloads/README.md: -------------------------------------------------------------------------------- 1 | # ARM templates and Bicep files for compliant workload deployments 2 | 3 | Please head to [Deploy Azure landing zones in the Azure Architecture Center](https://aka.ms/alz/aac) or [Azure Verified Modules](https://aka.ms/avm) for more information. 4 | --------------------------------------------------------------------------------