diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index 9775bd9d3..53ea412b1 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -52,6 +52,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: ### 🔃 Policy Refresh Q2 FY25 +- *Policy Versioning Support* - all initiatives and assignments have been pinned to the current major version of built-in policies or initiatives deployed by ALZ. This ensures that all ALZ deployments will successfully deploy using the currently validated versions of ALZ built-in policies and initiatives. As these get updated the team will validate changes and impact before incrementing the recommended version. - Fixed a Portal Accelerator bug that results in failed deployment when choosing not to deploy policies to the Identity management group. - Updated the display name of the many `Effect` parameters to clearly identify the policy it applies to in the initiative [Enforce recommended guardrails for Azure Key Vault](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-KeyVault.html). - Updated the policy and policySet definition API version `2023-04-01` to supporting policy versioning. In this repo, this is used in the master policies.json and initiatives.json files, that are built from individual policy and initiative files in the src folder. diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json index 5186b3e49..36c7c180d 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-AppGwWafPolicyAssignment.json @@ -26,7 +26,8 @@ }, "variables": { "policyDefinitions": { - "auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66" + "auditWAF": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "auditWAF": "Audit-AppGW-WAF", @@ -42,12 +43,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').auditWAF]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').auditWAF]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json index 283cf25ac..3474eb30b 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a" + "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "auditRGL": "Audit-ResourceRGLocation", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').auditRGL]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').auditRGL]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json index 97bb4e064..725392731 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json @@ -35,7 +35,8 @@ }, "variables": { "policyDefinitions": { - "auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5" + "auditZR": "/providers/Microsoft.Authorization/policySetDefinitions/130fb88f-0fc9-4678-bfe1-31022d71c7d5", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "auditZR": "Audit-ZoneResiliency", @@ -51,12 +52,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').auditZR]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').auditZR]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json index 5df1fa7f1..abfd6425d 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json @@ -13,7 +13,8 @@ }, "variables": { "policyDefinitions": { - "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99" + "denyAksNoPrivEsc": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", + "policyVersion": "7.*.*" }, "policyAssignmentNames": { "denyAksNoPrivEsc": "Deny-Priv-Esc-AKS", @@ -24,12 +25,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyAksNoPrivEsc]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyAksNoPrivEsc]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "effect": { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json index 3f4fde274..2452c4bd3 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json @@ -13,7 +13,8 @@ }, "variables": { "policyDefinitions": { - "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4" + "denyAksPriv": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", + "policyVersion": "9.*.*" }, "policyAssignmentNames": { "denyAksPriv": "Deny-Privileged-AKS", @@ -24,12 +25,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyAksPriv]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyAksPriv]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "effect": { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json index dedf8bf2c..3b7fcee0b 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-AksWithoutHttpsPolicyAssignment.json @@ -13,7 +13,8 @@ }, "variables": { "policyDefinitions": { - "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d" + "denyHttpIngressAks": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "policyVersion": "8.*.*" }, "policyAssignmentNames": { "denyHttpIngressAks": "Enforce-AKS-HTTPS", @@ -24,12 +25,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyHttpIngressAks]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyHttpIngressAks]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "effect": { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json index 63325713d..26961652b 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json @@ -25,7 +25,8 @@ }, "variables": { "policyDefinitions": { - "denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + "denyClassicResources": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "denyClassicResources": "Deny-Classic-Resources", @@ -41,12 +42,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyClassicResources]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyClassicResources]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json index e695b06b3..def5fe2d2 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-HybridNetworkingPolicyAssignment.json @@ -25,7 +25,8 @@ }, "variables": { "policyDefinitions": { - "denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + "denyHybridNetworking": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "denyHybridNetworking": "Deny-HybridNetworking", @@ -41,12 +42,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyHybridNetworking]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyHybridNetworking]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json index 5aed8232e..40aa9beac 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-IPForwardingPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900" + "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "denyIpForwarding": "Deny-IP-forwarding", @@ -33,7 +34,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyIpForwarding]", "properties": { "description": "[variables('policyAssignmentNames').description]", @@ -44,7 +45,8 @@ "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]" } ], - "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]" + "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]" } } ], diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json index 941292cc9..9d1b8025f 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressOnNICPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114" + "denyPipOnNic": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "denyPipOnNIC": "Deny-Public-IP-On-NIC", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyPipOnNic]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyPipOnNic]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json index b7c17d5b5..ced5859da 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-PublicIpAddressPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "denyPip": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749" + "denyPip": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "denyPip": "Deny-Public-IP", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyPip]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyPip]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json index 05cda1768..294ede565 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-StorageWithoutHttpsPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9" + "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "storageHttps": "Deny-Storage-http", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').storageHttps]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').storageHttps]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json index 786b5e666..19b6e272a 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d" + "denyVMUnmanagedDisk": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "denyVMUnmanagedDisk": "Deny-UnmanagedDisk", @@ -33,12 +34,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').denyVMUnmanagedDisk]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').denyVMUnmanagedDisk]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json index af1d1d71f..7ebe339e8 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json @@ -17,7 +17,8 @@ }, "variables": { "policyDefinitions": { - "ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" + "ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8", + "policyVersion": "57.*.*" }, "policyAssignmentNames": { "ascMonitoring": "Deploy-ASC-Monitoring", @@ -33,7 +34,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').ascMonitoring]", "location": "[deployment().location]", "identity": { @@ -43,6 +44,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').ascMonitoring]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json index 051665e46..c33dd3b60 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ActivityLogPolicyAssignment.json @@ -29,7 +29,8 @@ }, "variables": { "policyDefinitions": { - "deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f" + "deployAzureActivityLog": "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "azureActivityLog": "Deploy-AzActivity-Log", @@ -51,7 +52,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').azureActivityLog]", "location": "[deployment().location]", "identity": { @@ -61,6 +62,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployAzureActivityLog]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json index d1959f014..dcbe777f2 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpOssDbPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "DineAtpOssDb": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e" + "DineAtpOssDb": "/providers/Microsoft.Authorization/policySetDefinitions/e77fc0b3-f7e9-4c58-bc13-cb753ed8e46e", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "DineAtpOssDb": "Deploy-MDFC-OssDb", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').DineAtpOssDb]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').DineAtpOssDb]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json index 34febb134..7ad2013d9 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AtpSqlDbPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "DineAtpSqlDb": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97" + "DineAtpSqlDb": "/providers/Microsoft.Authorization/policySetDefinitions/9cb3cc7a-b39b-4b82-bc89-e5a5d9ff7b97", + "policyVersion": "3.*.*" }, "policyAssignmentNames": { "DineAtpSqlDb": "Deploy-MDFC-SqlAtp", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').DineAtpSqlDb]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').DineAtpSqlDb]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json index cde092b64..0ced04dff 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMArcPolicyAssignment.json @@ -56,7 +56,8 @@ }, "variables": { "policyDefinitions": { - "vmArcChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1" + "vmArcChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/53448c70-089b-4f52-8f38-89196d7f2de1", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "vmArcChangeTracking": "Deploy-vmArc-ChangeTrack", @@ -80,7 +81,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmArcChangeTracking]", "location": "[deployment().location]", "identity": { @@ -90,6 +91,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmArcChangeTracking]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json index 8c878a37f..4ebfffb65 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMPolicyAssignment.json @@ -76,7 +76,8 @@ }, "variables": { "policyDefinitions": { - "vmChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354" + "vmChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/92a36f05-ebc9-4bba-9128-b47ad2ea3354", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "vmChangeTracking": "Deploy-VM-ChangeTrack", @@ -105,7 +106,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmChangeTracking]", "location": "[deployment().location]", "identity": { @@ -115,6 +116,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmChangeTracking]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json index 04450021a..b5503e4ee 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ChangeTrackingVMSSPolicyAssignment.json @@ -76,7 +76,8 @@ }, "variables": { "policyDefinitions": { - "vmssChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc" + "vmssChangeTracking": "/providers/Microsoft.Authorization/policySetDefinitions/c4a70814-96be-461c-889f-2b27429120dc", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "vmssChangeTracking": "Deploy-VMSS-ChangeTrack", @@ -105,7 +106,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmssChangeTracking]", "location": "[deployment().location]", "identity": { @@ -115,6 +116,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmssChangeTracking]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json index 58989a4d2..532b3a1aa 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-LogAnalyticsPolicyAssignment.json @@ -59,7 +59,8 @@ }, "variables": { "policyDefinitions": { - "deployLogAnalytics": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955" + "deployLogAnalytics": "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "logAnalytics": "Deploy-Log-Analytics", @@ -79,7 +80,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').loganalytics]", "location": "[deployment().location]", "identity": { @@ -89,6 +90,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployLogAnalytics]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json index 4b533d494..e61f1c6ec 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsAMAPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3" + "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/77b391e3-2d5d-40c3-83bf-65c846b3c6a3", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "azureSecurityMDE": "Deploy-MDEndpointsAMA", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').azureSecurityMDE]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployMDEndpoints]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json index 7f81ce19c..c0c59489e 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDEndpointsPolicyAssignment.json @@ -32,7 +32,8 @@ }, "variables": { "policyDefinitions": { - "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc" + "deployMDEndpoints": "/providers/Microsoft.Authorization/policySetDefinitions/e20d08c5-6d64-656d-6465-ce9e37fd0ebc", + "policyVersion": "1.*.*-preview" }, "policyAssignmentNames": { "azureSecurityMDE": "Deploy-MDEndpoints", @@ -52,7 +53,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').azureSecurityMDE]", "location": "[deployment().location]", "identity": { @@ -62,6 +63,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployMDEndpoints]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json index 645286c7f..d3210e1d7 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-MDFCDefenderSQLAMAPolicyAssignment.json @@ -106,7 +106,8 @@ }, "variables": { "policyDefinitions": { - "deployazureDefenderSQL": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26" + "deployazureDefenderSQL": "/providers/Microsoft.Authorization/policySetDefinitions/de01d381-bae9-4670-8870-786f89f49e26", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "azureDefenderSQL": "Deploy-MDFC-DefSQL-AMA", @@ -137,7 +138,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').azureDefenderSQL]", "location": "[deployment().location]", "identity": { @@ -147,6 +148,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployazureDefenderSQL]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json index 714311206..6c8fac4b4 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json @@ -35,7 +35,8 @@ }, "variables": { "policyDefinitions": { - "deployResourceDiagnostics": "[if(equals(parameters('laCategory'), 'allLogs'),'/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038','/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5')]" + "deployResourceDiagnostics": "[if(equals(parameters('laCategory'), 'allLogs'),'/providers/Microsoft.Authorization/policySetDefinitions/0884adba-2312-4468-abeb-5422caed1038','/providers/Microsoft.Authorization/policySetDefinitions/f5b29bc4-feca-4cc6-a58a-772dd5e290a5')]", + "policyVersion": "[if(equals(parameters('laCategory'), 'allLogs'),'1.*.*','1.*.*')]" }, "policyAssignmentNames": { "resourceDiagnostics": "Deploy-Diag-LogsCat", @@ -57,7 +58,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').resourceDiagnostics]", "location": "[deployment().location]", "identity": { @@ -67,6 +68,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployResourceDiagnostics]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json index 0f6a0e58c..29e4a8c15 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLAuditingPolicyAssignment.json @@ -29,7 +29,8 @@ }, "variables": { "policyDefinitions": { - "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb" + "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/25da7dfb-0666-4a15-a8f5-402127efd8bb", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "deploySqlAuditing": "Deploy-AzSqlDb-Auditing", @@ -49,7 +50,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deploySqlAuditing]", "location": "[deployment().location]", "identity": { @@ -59,6 +60,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deploySqlAuditing]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json index d5ae811a9..b18449418 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLEncryptionPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f" + "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "deploySqlEncryption": "Deploy-SQL-TDE", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deploySqlEncryption]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deploySqlEncryption]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json index d96cb2541..c93203df5 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-SQLThreatPolicyAssignment.json @@ -23,7 +23,8 @@ }, "variables": { "policyDefinitions": { - "deploySqlThreat": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5" + "deploySqlThreat": "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5", + "policyVersion": "2.*.*" }, "policyAssignmentNames": { "deploySqlThreat": "Deploy-SQL-Threat", @@ -43,7 +44,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deploySqlThreat]", "location": "[deployment().location]", "identity": { @@ -53,6 +54,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deploySqlThreat]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json index e59ec5297..e06cc5ff7 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json @@ -24,7 +24,8 @@ }, "variables": { "policyDefinitions": { - "deployVmBackup": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86" + "deployVmBackup": "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86", + "policyVersion": "9.*.*" }, "policyAssignmentNames": { "deployVmBackup": "Deploy-VM-Backup", @@ -46,7 +47,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deployVmBackup]", "location": "[deployment().location]", "identity": { @@ -56,6 +57,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployVmBackup]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json index 500577b69..abe13d8dc 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json @@ -52,7 +52,8 @@ }, "variables": { "policyDefinitions": { - "vmHybridMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321" + "vmHybridMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/2b00397d-c309-49c4-aa5a-f0b2c5bc6321", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "vmHybridMonitoring": "Deploy-vmHybr-Monitoring", @@ -76,7 +77,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmHybridMonitoring]", "location": "[deployment().location]", "identity": { @@ -86,6 +87,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmHybridMonitoring]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json index 17afd3061..d5a989f30 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMMonitoringPolicyAssignment.json @@ -79,7 +79,8 @@ }, "variables": { "policyDefinitions": { - "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6" + "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/924bfe3a-762f-40e7-86dd-5c8b95eb09e6", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "vmMonitoring": "Deploy-VM-Monitoring", @@ -108,7 +109,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmMonitoring]", "location": "[deployment().location]", "identity": { @@ -118,6 +119,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmMonitoring]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json index d71b20328..e151ee8e7 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json @@ -79,7 +79,8 @@ }, "variables": { "policyDefinitions": { - "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485" + "vmssMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/f5bf694c-cca7-4033-b883-3a23327d5485", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "vmssMonitoring": "Deploy-VMSS-Monitoring", @@ -108,7 +109,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').vmssMonitoring]", "location": "[deployment().location]", "identity": { @@ -118,6 +119,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').vmssMonitoring]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json index c1092bb31..01e4c8f22 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/ENFORCE-SubnetPrivatePolicyAssignment.json @@ -26,7 +26,8 @@ }, "variables": { "policyDefinitions": { - "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837" + "privateSubnet": "/providers/Microsoft.Authorization/policyDefinitions/7bca8353-aa3b-429b-904a-9229c4385837", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "privateSubnet": "Enforce-Subnet-Private", @@ -42,12 +43,13 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').privateSubnet]", "properties": { "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').privateSubnet]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "nonComplianceMessages": [ { diff --git a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json index 0b9c17721..461201e9d 100644 --- a/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json +++ b/eslzArm/managementGroupTemplates/policyAssignments/MODIFY-DDoSPolicyAssignment.json @@ -29,7 +29,8 @@ }, "variables": { "policyDefinitions": { - "deployDoS": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d" + "deployDoS": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", + "policyVersion": "1.*.*" }, "policyAssignmentNames": { "deployDdoS": "Enable-DDoS-VNET", @@ -49,7 +50,7 @@ "resources": [ { "type": "Microsoft.Authorization/policyAssignments", - "apiVersion": "2022-06-01", + "apiVersion": "2024-04-01", "name": "[variables('policyAssignmentNames').deployDdoS]", "location": "[deployment().location]", "identity": { @@ -59,6 +60,7 @@ "description": "[variables('policyAssignmentNames').description]", "displayName": "[variables('policyAssignmentNames').displayName]", "policyDefinitionId": "[variables('policyDefinitions').deployDoS]", + "definitionVersion": "[variables('policyDefinitions').policyVersion]", "enforcementMode": "[parameters('enforcementMode')]", "parameters": { "ddosPlan": { diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json index 1877f87c9..5045df57f 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/initiatives.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.31.34.60546", - "templateHash": "9652634129750638250" + "templateHash": "10867486657225631259" } }, "parameters": { @@ -76,62 +76,62 @@ "input": "[json(variables('processPolicySetDefinitionsAzureUSGovernment')[copyIndex('policySetDefinitionsAzureUSGovernment')])]" } ], - "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#0": "{\n \"name\": \"Audit-UnusedResourcesCostOptimization\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Unused resources driving cost should be avoided\",\n \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Cost Optimization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectDisks\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Disks Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectPublicIpAddresses\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"PublicIpAddresses Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectServerFarms\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ServerFarms Effect\",\n \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDisks')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectServerFarms')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Audit\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#1": "{\n \"name\": \"Audit-TrustedLaunch\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Audit virtual machines for Trusted Launch support\",\n \"description\": \"Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Trusted Launch\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AuditDisksOsTrustedLaunch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AuditTrustedLaunchEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#10": "{\n \"name\": \"Enforce-Guardrails-KeyVault\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"effectKvSoftDelete\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Soft Delete\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvPurgeProtection\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Purge Protection\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectKvSecretsExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvKeysExpire\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Expiry\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvFirewallEnabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Firewall Enabled\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"effectKvCertLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Certificate Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"maximumCertLifePercentageLife\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The maximum lifetime percentage\",\n \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n },\n \"defaultValue\": 80\n },\n \"minimumCertLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvKeysLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Keys Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumKeysLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"effectKvSecretsLifetime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect - KV Secrets Lifetime\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"minimumSecretsLifeDaysBeforeExpiry\": {\n \"type\": \"Integer\",\n \"metadata\": {\n \"displayName\": \"The minimum days before expiry\",\n \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n },\n \"defaultValue\": 90\n },\n \"keyVaultCheckMinimumRSACertificateSize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSACertificateSizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultManagedHsmCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultCheckMinimumRSAKeySize\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultMinimumRSAKeySizeValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 2048,\n \"allowedValues\": [\n 2048,\n 3072,\n 4096\n ]\n },\n \"keyVaultArmRbac\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsPurgeProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificatesPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertValidPeriod\": {\n \"type\": \"integer\",\n \"defaultValue\": 12\n },\n \"keyVaultHmsKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsValidPeriod\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsValidityInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultCertKeyTypes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultEllipticCurve\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCryptographicType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keysActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keysCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"secretsActiveInDays\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"secretsActive\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultSecretContentType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultNonIntegratedCaValue\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"The common name of the certificate authority\",\n \"description\": \"The common name (CN) of the Certificate Authority (CA) provider. For example, for an issuer CN = Contoso, OU = .., DC = .., you can specify Contoso\"\n }\n },\n \"keyVaultIntegratedCa\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultIntegratedCaValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"DigiCert\",\n \"GlobalSign\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHsmMinimumDaysBeforeExpirationValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n },\n \"keyVaultHmsCurveNames\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultHmsCurveNamesValue\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"P-256\",\n \"P-256K\",\n \"P-384\",\n \"P-521\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue\": {\n \"type\": \"integer\",\n \"defaultValue\": 90\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSoftDelete')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysExpire')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvCertLifetime')]\"\n },\n \"maximumPercentageLife\": {\n \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n },\n \"minimumDaysBeforeExpiry\": {\n \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cee51871-e572-4576-855c-047c820360f0\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinCertSize\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSACertificateSize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSACertificateSizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86810a98-8e91-4a44-8386-ec66d0de5d57\",\n \"policyDefinitionReferenceId\": \"Deny-keyVaultManagedHsm-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultManagedHsmMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82067dbb-e53b-4e06-b631-546d197452d9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-RSA-Keys-without-MinKeySize\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCheckMinimumRSAKeySize')]\"\n },\n \"minimumRSAKeySize\": {\n \"value\": \"[[parameters('keyVaultMinimumRSAKeySizeValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12d4fa5e-1f9f-4c21-97a9-b99b3c6611b5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-without-ArmRbac\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultArmRbac')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PurgeProtection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsPurgeProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a075868-4c26-42ef-914c-5bc007359560\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cert-Period\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificatesPeriod')]\"\n },\n \"maximumValidityInMonths\": {\n \"value\": \"[[parameters('keyVaultCertValidPeriod')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1d478a74-21ba-4b9f-9d8f-8e6fced0eec5\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-Key-Expire\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/49a22571-d204-4c91-a7b6-09b1a586fbc9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Keys-Expire\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/342e8053-e12e-4c44-be01-c3c2f318400f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secrets-ValidityDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsValidPeriod')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsValidityInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1151cede-290b-4ba0-8b38-0ad145ac888f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Types\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertKeyTypes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd78111f-4953-4367-9fd5-7e08808b54bf\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Elliptic-Curve\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultEllipticCurve')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75c4f823-d65c-4f29-a733-01d0077fdbcb\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Cryptographic-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCryptographicType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26e4b24-cf98-4c67-b48b-5a25c4c69eb9\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Key-Active\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('keysActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff25f3c8-b739-4538-9d07-3d6d25cfb255\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Curve-Names\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keysCurveNames')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8d99835-8a06-45ae-a8e0-87a91941ccfe\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Secret-ActiveDays\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('secretsActive')]\"\n },\n \"maximumValidityInDays\": {\n \"value\": \"[[parameters('secretsActiveInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75262d3e-ba4a-4f43-85f8-9f72c090e5e3\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Secret-Content-Type\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultSecretContentType')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a22f4a40-01d3-4c7d-8071-da157eeff341\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Non-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCa')]\"\n },\n \"caCommonName\": {\n \"value\": \"[[parameters('keyVaultNonIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e826246-c976-48f6-b03e-619bb92b3d82\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Integrated-Ca\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultIntegratedCa')]\"\n },\n \"allowedCAs\": {\n \"value\": \"[[parameters('keyVaultIntegratedCaValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad27588c-0198-4c84-81ef-08efd0274653\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-MinimumDays-Before-Expiration\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpiration')]\"\n },\n \"minimumDaysBeforeExpiration\": {\n \"value\": \"[[parameters('keyVaultHsmMinimumDaysBeforeExpirationValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e58fd0c1-feac-4d12-92db-0a7e9421f53e\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Hsm-Curve-Names\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNames')]\"\n },\n \"allowedECNames\": {\n \"value\": \"[[parameters('keyVaultHmsCurveNamesValue')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f772fb64-8e40-40ad-87bc-7706e1949427\",\n \"policyDefinitionReferenceId\": \"Deny-Kv-Cert-Expiration-Within-Specific-Number-Days\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDays')]\"\n },\n \"daysToExpire\": {\n \"value\": \"[[parameters('keyVaultCertificateNotExpireWithinSpecifiedNumberOfDaysValue')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-BotService\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Bot Service\",\n \"description\": \"This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Bot Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"botServiceValidUri\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceIsolatedMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServicePrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Valid-Uri\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceValidUri')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Isolated-Mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceIsolatedMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e\",\n \"policyDefinitionReferenceId\": \"Audit-BotService-Private-Link\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServicePrivateLink')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Customer-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\n \"policyDefinitionReferenceId\": \"Aine-Cognitive-Services-Resource-Logs\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesResourceLogs')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#11": "{\n \"name\": \"Enforce-Guardrails-APIM\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for API Management\",\n \"description\": \"This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"API Management\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"apiSubscriptionScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"minimumApiVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSkuVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"apimApiBackendCertValidation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimDirectApiEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimCallApiAuthn\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimEncryptedProtocols\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimVnetUsage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimSecrets\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"apimTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Kv\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSecrets')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-without-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimVnetUsage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS\",\n \"policyDefinitionReferenceId\": \"Deny-APIM-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Protocols\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimEncryptedProtocols')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Authn\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimCallApiAuthn')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Direct-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDirectApiEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Cert-Validation\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimApiBackendCertValidation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2\",\n \"policyDefinitionReferenceId\": \"Dine-Apim-Public-NetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Sku-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apimSkuVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67\",\n \"policyDefinitionReferenceId\": \"Deny-Apim-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('minimumApiVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1\",\n \"policyDefinitionReferenceId\": \"Deny-Api-subscription-scope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('apiSubscriptionScope')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#12": "{\n \"name\": \"Enforce-Guardrails-AppServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for App Service\",\n \"description\": \"This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"App Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"functionAppDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceSkuPl\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceDisableLocalAuthFtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceScmAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRfc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsVnetRouting\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceEnvLatestVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsRemoteDebugging\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceByoc\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"appServiceAppModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Byoc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceByoc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Remote-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsRemoteDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Latest-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceEnvLatestVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Vnet-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsVnetRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222\",\n \"policyDefinitionReferenceId\": \"Deny-AppServiceApps-Rfc\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsRfc')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb\",\n \"policyDefinitionReferenceId\": \"DINE-FuncApp-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-ScmAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceScmAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-Routing\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceRouting')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-FtpAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuthFtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5\",\n \"policyDefinitionReferenceId\": \"Deny-AppServ-SkuPl\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceSkuPl')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-Debugging\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppDebugging')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c\",\n \"policyDefinitionReferenceId\": \"Modify-Function-Apps-Slots-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-Apps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee\",\n \"policyDefinitionReferenceId\": \"Modify-AppService-App-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#13": "{\n \"name\": \"Enforce-Guardrails-Automation\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Automation Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Automation\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aaModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"aaVariablesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"autoHotPatch\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"aaModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc\",\n \"policyDefinitionReferenceId\": \"Deny-Windows-Vm-HotPatch\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('autoHotPatch')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Variables-Encrypt\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaVariablesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyLocalAUth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c\",\n \"policyDefinitionReferenceId\": \"Modify-Aa-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aaModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#14": "{\n \"name\": \"Enforce-Guardrails-BotService\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Bot Service\",\n \"description\": \"This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Bot Service\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"botServiceValidUri\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceIsolatedMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n },\n \"botServiceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServicePrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Valid-Uri\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceValidUri')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Isolated-Mode\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceIsolatedMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e\",\n \"policyDefinitionReferenceId\": \"Audit-BotService-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServicePrivateLink')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#15": "{\n \"name\": \"Enforce-Guardrails-CognitiveServices\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cognitive Services\",\n \"description\": \"This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveSearchSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyCognitiveSearchPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-SKU\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91\",\n \"policyDefinitionReferenceId\": \"Deny-CongitiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30\",\n \"policyDefinitionReferenceId\": \"Modify-CogntiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyCognitiveSearchPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Customer-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4\",\n \"policyDefinitionReferenceId\": \"Aine-Cognitive-Services-Resource-Logs\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesResourceLogs')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#16": "{\n \"name\": \"Enforce-Guardrails-Compute\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Compute\",\n \"description\": \"This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Compute\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"diskDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vmAndVmssEncryptionHost\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87\",\n \"policyDefinitionReferenceId\": \"Deny-VmAndVmss-Encryption-Host\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vmAndVmssEncryptionHost')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816\",\n \"policyDefinitionReferenceId\": \"Deny-Disk-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('diskDoubleEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#17": "{\n \"name\": \"Enforce-Guardrails-ContainerApps\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Apps\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Apps\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerAppsManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsVnetInjection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApp-Vnet-Injection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsVnetInjection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsManagedIdentity')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#18": "{\n \"name\": \"Enforce-Guardrails-ContainerInstance\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Instances\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerInstanceVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Vnet\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceVnet')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#19": "{\n \"name\": \"Enforce-Guardrails-ContainerRegistry\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Container Registry\",\n \"description\": \"This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Container Registry\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"containerRegistryUnrestrictedNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyRepositoryToken\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryExports\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyAnAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistrySkuPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyArmAudience\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"containerRegistryModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Arm-Audience\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyArmAudience')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Sku-PrivateLink\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistrySkuPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Anonymous-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryAnAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Exports\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryExports')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Repo-Token\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryRepositoryToken')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerRegistry-Unrestricted-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryUnrestrictedNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9\",\n \"policyDefinitionReferenceId\": \"Modify-ContainerRegistry-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerRegistryModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#2": "{\n \"name\": \"Deploy-Sql-Security\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-Sql-Security_20240529.html\",\n \"metadata\": {\n \"version\": \"1.0.0-deprecated\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-Sql-Security_20240529\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"String\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlIdleShutdown\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlVirtualNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlLegacyMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"mlAllowedRegistryDeploy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlAllowedModule\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedPython\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedRegistries\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Idle-Shutdown\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlIdleShutdown')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Virtual-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlVirtualNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Legacy-Mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLegacyMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Private-Link\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6\",\n \"policyDefinitionReferenceId\": \"Aine-ML-Resource-Logs\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlResourceLogs')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registry-Deploy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistryDeploy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Module\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedModule')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Python\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedPython')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registries\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistries')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey2\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDiagSettings\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-AzureAI-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782\",\n \"policyDefinitionReferenceId\": \"Audit-AzureAI-Private-Link\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key2\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey2')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb\",\n \"policyDefinitionReferenceId\": \"Aine-AzureAI-Diag-Settings\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDiagSettings')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#37": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#20": "{\n \"name\": \"Enforce-Guardrails-CosmosDb\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Cosmos DB\",\n \"description\": \"This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Cosmos DB\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cosmosDbLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cosmosDbAtp\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cosmosDbModifyPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656\",\n \"policyDefinitionReferenceId\": \"Dine-CosmosDb-Atp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbAtp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Fw-Rules\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2\",\n \"policyDefinitionReferenceId\": \"Deny-CosmosDb-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5\",\n \"policyDefinitionReferenceId\": \"Append-CosmosDb-Metadata\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088\",\n \"policyDefinitionReferenceId\": \"Modify-CosmosDb-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cosmosDbModifyPublicAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#21": "{\n \"name\": \"Enforce-Guardrails-DataExplorer\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Explorer\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Azure Data Explorer\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adxEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxSku\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Sku-without-PL-Support\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxSku')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Double-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Encryption\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa\",\n \"policyDefinitionReferenceId\": \"Modify-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#22": "{\n \"name\": \"Enforce-Guardrails-DataFactory\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Data Factory\",\n \"description\": \"This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Data Factory\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"adfSqlIntegration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfLinkedServiceKeyVault\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfGit\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Managed-Identity\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Git\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfGit')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Linked-Service-Key-Vault\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfLinkedServiceKeyVault')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Sql-Integration\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfSqlIntegration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7\",\n \"policyDefinitionReferenceId\": \"Modify-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#23": "{\n \"name\": \"Enforce-Guardrails-EventGrid\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Grid\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Grid\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventGridLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPartnerNamespaceModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridDomainModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Partner-Namespace-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPartnerNamespaceLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Domain-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridDomainModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172\",\n \"policyDefinitionReferenceId\": \"Modify-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#24": "{\n \"name\": \"Enforce-Guardrails-EventHub\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Event Hub\",\n \"description\": \"This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Event Hub\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"eventHubAuthRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Double-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d\",\n \"policyDefinitionReferenceId\": \"Modify-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Auth-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubAuthRules')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#25": "{\n \"name\": \"Enforce-Guardrails-KeyVault-Sup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce additional recommended guardrails for Key Vault\",\n \"description\": \"This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Key Vault\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"keyVaultManagedHsmDisablePublicNetworkModify\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"keyVaultModifyFw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456\",\n \"policyDefinitionReferenceId\": \"Modify-KV-PublicNetworkAccess\",\n \"definitionVersion\": \"2.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetworkModify')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc\",\n \"policyDefinitionReferenceId\": \"Modify-KV-Fw\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultModifyFw')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#26": "{\n \"name\": \"Enforce-Guardrails-Kubernetes\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Kubernetes\",\n \"description\": \"This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Kubernetes\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"aksKms\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksCni\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"aksLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivateCluster\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksCommandInvoke\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"aksReadinessOrLivenessProbes\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksPrivContainers\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksPrivEscalation\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksAllowedCapabilities\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksTempDisk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksInternalLb\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksDefaultNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksNakedPods\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"aksShareHostProcessAndNamespace\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"audit\",\n \"Audit\",\n \"deny\",\n \"Deny\",\n \"disabled\",\n \"Disabled\"\n ]\n },\n \"aksWindowsContainerAdministrator\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Windows-Container-Administrator\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksWindowsContainerAdministrator')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Shared-Host-Process-Namespace\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksShareHostProcessAndNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Naked-Pods\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksNakedPods')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Default-Namespace\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksDefaultNamespace')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Internal-Lb\",\n \"definitionVersion\": \"8.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksInternalLb')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Temp-Disk-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksTempDisk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Allowed-Capabilities\",\n \"definitionVersion\": \"6.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksAllowedCapabilities')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Escalation\",\n \"definitionVersion\": \"7.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivEscalation')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Priv-Containers\",\n \"definitionVersion\": \"9.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivContainers')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-ReadinessOrLiveness-Probes\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksReadinessOrLivenessProbes')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Command-Invoke\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCommandInvoke')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"policyDefinitionReferenceId\": \"Dine-Aks-Policy\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPolicy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Private-Cluster\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksPrivateCluster')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Kms\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksKms')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67\",\n \"policyDefinitionReferenceId\": \"Deny-Aks-Cni\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('aksCni')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#27": "{\n \"name\": \"Enforce-Guardrails-MachineLearning\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Machine Learning\",\n \"description\": \"This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Machine Learning\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mlUserAssignedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlOutdatedOS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"mlIdleShutdown\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlVirtualNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlLegacyMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"mlResourceLogs\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"mlAllowedRegistryDeploy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mlAllowedModule\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedPython\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n },\n \"mlAllowedRegistries\": {\n \"type\": \"string\",\n \"defaultValue\": \"enforceSetting\",\n \"allowedValues\": [\n \"enforceSetting\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Outdated-Os\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effects\": {\n \"value\": \"[[parameters('mlOutdatedOS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Local-Auth\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78\",\n \"policyDefinitionReferenceId\": \"Deny-ML-User-Assigned-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlUserAssignedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f\",\n \"policyDefinitionReferenceId\": \"Modify-ML-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Idle-Shutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlIdleShutdown')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Virtual-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlVirtualNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Legacy-Mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlLegacyMode')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b\",\n \"policyDefinitionReferenceId\": \"Audit-ML-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6\",\n \"policyDefinitionReferenceId\": \"Aine-ML-Resource-Logs\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlResourceLogs')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registry-Deploy\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistryDeploy')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Module\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedModule')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Python\",\n \"definitionVersion\": \"5.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedPython')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003\",\n \"policyDefinitionReferenceId\": \"Deny-ML-Allowed-Registries\",\n \"definitionVersion\": \"6.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mlAllowedRegistries')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#28": "{\n \"name\": \"Enforce-Guardrails-MySQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for MySQL\",\n \"description\": \"This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"MySQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"mySqlInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816\",\n \"policyDefinitionReferenceId\": \"Dine-MySql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlAdvThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlInfraEncryption')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#29": "{\n \"name\": \"Enforce-Guardrails-Network\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Network and Networking services\",\n \"description\": \"This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"subnetUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"subnetServiceEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwWaf\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vnetModifyDdos\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Audit\",\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"ddosPlanResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"wafMode\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"wafFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGw\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafModeAppGwRequirement\": {\n \"type\": \"string\",\n \"defaultValue\": \"Prevention\"\n },\n \"denyMgmtFromInternet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"denyMgmtFromInternetPorts\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Ports\",\n \"description\": \"Ports to be blocked\"\n },\n \"defaultValue\": [\n \"22\",\n \"3389\"\n ]\n },\n \"afwEnbaleTlsForAllAppRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableTlsInspection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEmptyIDPSBypassList\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableAllIDPSSignatureRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"afwEnableIDPS\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"wafAfdEnabled\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"vpnAzureAD\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appGwTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyUdr\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\"\n },\n \"modifyUdrNextHopIpAddress\": {\n \"type\": \"string\",\n \"defaultValue\": \"\"\n },\n \"modifyUdrNextHopType\": {\n \"type\": \"string\",\n \"defaultValue\": \"None\"\n },\n \"modifyUdrAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"0.0.0.0/0\"\n },\n \"modifyNsg\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyNsgRuleName\": {\n \"type\": \"string\",\n \"defaultValue\": \"DenyAnyInternetOutbound\"\n },\n \"modifyNsgRulePriority\": {\n \"type\": \"integer\",\n \"defaultValue\": 1000\n },\n \"modifyNsgRuleDirection\": {\n \"type\": \"string\",\n \"defaultValue\": \"Outbound\"\n },\n \"modifyNsgRuleAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Allow\",\n \"Deny\"\n ]\n },\n \"modifyNsgRuleProtocol\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourceAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleSourcePortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDestinationAddressPrefix\": {\n \"type\": \"string\",\n \"defaultValue\": \"Internet\"\n },\n \"modifyNsgRuleDestinationPortRange\": {\n \"type\": \"string\",\n \"defaultValue\": \"*\"\n },\n \"modifyNsgRuleDescription\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny any outbound traffic to the Internet\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010\",\n \"policyDefinitionReferenceId\": \"Deny-Nsg-GW-subnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7\",\n \"policyDefinitionReferenceId\": \"Deny-VPN-AzureAD\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vpnAzureAD')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Afd-Enabled\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafAfdEnabled')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-IDPS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableIDPS')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5\",\n \"policyDefinitionReferenceId\": \"Deny-FW-AllIDPSS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableAllIDPSSignatureRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50\",\n \"policyDefinitionReferenceId\": \"Deny-FW-EmpIDPSBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEmptyIDPSBypassList')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-Inspection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnableTlsInspection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596\",\n \"policyDefinitionReferenceId\": \"Deny-FW-TLS-AllApp\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('afwEnbaleTlsForAllAppRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-AppGw-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafModeAppGw')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeAppGwRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-Fw-rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8\",\n \"policyDefinitionReferenceId\": \"Deny-Waf-mode\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('wafMode')]\"\n },\n \"modeRequirement\": {\n \"value\": \"[[parameters('wafModeRequirement')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d\",\n \"policyDefinitionReferenceId\": \"Modify-vNet-DDoS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('vnetModifyDdos')]\"\n },\n \"ddosPlan\": {\n \"value\": \"[[parameters('ddosPlanResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900\",\n \"policyDefinitionReferenceId\": \"Deny-Ip-Forwarding\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114\",\n \"policyDefinitionReferenceId\": \"Deny-vNic-Pip\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Waf\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwWaf')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetUdr')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-Without-NSG\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetNsg')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints\",\n \"policyDefinitionReferenceId\": \"Deny-Subnet-with-Service-Endpoints\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('subnetServiceEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet\",\n \"policyDefinitionReferenceId\": \"Deny-Mgmt-From-Internet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('denyMgmtFromInternet')]\"\n },\n \"ports\": {\n \"value\": \"[[parameters('denyMgmtFromInternetPorts')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls\",\n \"policyDefinitionReferenceId\": \"Deny-AppGw-Without-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appGwTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR\",\n \"policyDefinitionReferenceId\": \"Modify-Udr\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyUdr')]\"\n },\n \"nextHopIpAddress\": {\n \"value\": \"[[parameters('modifyUdrNextHopIpAddress')]\"\n },\n \"nextHopType\": {\n \"value\": \"[[parameters('modifyUdrNextHopType')]\"\n },\n \"addressPrefix\": {\n \"value\": \"[[parameters('modifyUdrAddressPrefix')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG\",\n \"policyDefinitionReferenceId\": \"Modify-Nsg\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyNsg')]\"\n },\n \"nsgRuleName\": {\n \"value\": \"[[parameters('modifyNsgRuleName')]\"\n },\n \"nsgRulePriority\": {\n \"value\": \"[[parameters('modifyNsgRulePriority')]\"\n },\n \"nsgRuleDirection\": {\n \"value\": \"[[parameters('modifyNsgRuleDirection')]\"\n },\n \"nsgRuleAccess\": {\n \"value\": \"[[parameters('modifyNsgRuleAccess')]\"\n },\n \"nsgRuleProtocol\": {\n \"value\": \"[[parameters('modifyNsgRuleProtocol')]\"\n },\n \"nsgRuleSourceAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleSourceAddressPrefix')]\"\n },\n \"nsgRuleSourcePortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleSourcePortRange')]\"\n },\n \"nsgRuleDestinationAddressPrefix\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationAddressPrefix')]\"\n },\n \"nsgRuleDestinationPortRange\": {\n \"value\": \"[[parameters('modifyNsgRuleDestinationPortRange')]\"\n },\n \"nsgRuleDescription\": {\n \"value\": \"[[parameters('modifyNsgRuleDescription')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#3": "{\n \"name\": \"Deploy-Sql-Security_20240529\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-Sql-Security\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"vulnerabilityAssessmentsEmail\": {\n \"metadata\": {\n \"description\": \"The email address to send alerts\",\n \"displayName\": \"The email address to send alerts\"\n },\n \"type\": \"Array\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"metadata\": {\n \"description\": \"The storage account ID to store assessments\",\n \"displayName\": \"The storage account ID to store assessments\"\n },\n \"type\": \"String\"\n },\n \"SqlDbTdeDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n }\n },\n \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n }\n },\n \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL database auditing settings\",\n \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n }\n },\n \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific storage account in the parameters\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n },\n \"vulnerabilityAssessmentsEmail\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n },\n \"vulnerabilityAssessmentsStorageID\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#30": "{\n \"name\": \"Enforce-Guardrails-OpenAI\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Open AI (Cognitive Service)\",\n \"description\": \"This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Cognitive Services\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"cognitiveServicesOutboundNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAcls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesCustomerStorage\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesManagedIdentity\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"azureAiPrivateLink\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDisableLocalKey2\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"azureAiDiagSettings\": {\n \"type\": \"string\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-OutboundNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesOutboundNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls\",\n \"policyDefinitionReferenceId\": \"Deny-OpenAi-NetworkAcls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAcls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Managed-Identity\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesManagedIdentity')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Cust-Storage\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesCustomerStorage')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555\",\n \"policyDefinitionReferenceId\": \"Modify-Cognitive-Services-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesModifyDisableLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-AzureAI-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782\",\n \"policyDefinitionReferenceId\": \"Audit-AzureAI-Private-Link\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiPrivateLink')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30\",\n \"policyDefinitionReferenceId\": \"Dine-AzureAI-Local-Key2\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDisableLocalKey2')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb\",\n \"policyDefinitionReferenceId\": \"Aine-AzureAI-Diag-Settings\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('azureAiDiagSettings')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#31": "{\n \"name\": \"Enforce-Guardrails-PostgreSQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for PostgreSQL\",\n \"description\": \"This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"PostgreSQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"postgreSqlAdvThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3\",\n \"policyDefinitionReferenceId\": \"Dine-PostgreSql-Adv-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlAdvThreatProtection')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#32": "{\n \"name\": \"Enforce-Guardrails-ServiceBus\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Service Bus\",\n \"description\": \"This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Service Bus\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"serviceBusModifyDisableLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyDisabledLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusAuthzRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Authz-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusAuthzRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyDisabledLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e\",\n \"policyDefinitionReferenceId\": \"Modify-Sb-LocalAuth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusModifyDisableLocalAuth')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#33": "{\n \"name\": \"Enforce-Guardrails-SQL\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for SQL and SQL Managed Instance\",\n \"description\": \"This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"SQL\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"sqlManagedAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlAadOnly\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"modifySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Managed-Defender\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Aad-Only\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedAadOnly')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6\",\n \"policyDefinitionReferenceId\": \"Dine-Sql-Adv-Data\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {}\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b\",\n \"policyDefinitionReferenceId\": \"Modify-Sql-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifySqlPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#34": "{\n \"name\": \"Enforce-Guardrails-Storage\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Storage Account\",\n \"description\": \"This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Storage\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"storageKeysExpiration\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountRestrictNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageThreatProtection\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"storageClassicToArm\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsInfraEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountSharedKey\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCrossTenant\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsDoubleEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsAllowedCopyScope\": {\n \"type\": \"string\",\n \"defaultValue\": \"AAD\"\n },\n \"storageServicesEncryption\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageLocalUser\": {\n \"type\": \"string\",\n \"defaultValue\": \"Disabled\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageSftp\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsBypass\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAllowedNetworkAclsBypass\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"None\"\n ]\n },\n \"storageResourceAccessRulesTenantId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageResourceAccessRulesResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageNetworkAclsVirtualNetworkRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageContainerDeleteRetentionPolicy\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageMinContainerDeleteRetentionInDays\": {\n \"type\": \"Integer\",\n \"defaultValue\": 7\n },\n \"storageCorsRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"modifyStorageFileSyncPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"modifyStorageAccountPublicEndpoint\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"storageAccountsModifyDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CopyScope\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCopyScope')]\"\n },\n \"allowedCopyScope\": {\n \"value\": \"[[parameters('storageAccountsAllowedCopyScope')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ServicesEncryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageServicesEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-LocalUser\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageLocalUser')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-SFTP\",\n\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageSftp')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsBypass\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsBypass')]\"\n },\n \"allowedBypassOptions\": {\n \"value\": \"[[parameters('storageAllowedNetworkAclsBypass')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesTenantId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesTenantId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ResourceAccessRulesResourceId\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageResourceAccessRulesResourceId')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkAclsVirtualNetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageNetworkAclsVirtualNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-ContainerDeleteRetentionPolicy\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageContainerDeleteRetentionPolicy')]\"\n },\n \"minContainerDeleteRetentionInDays\": {\n \"value\": \"[[parameters('storageMinContainerDeleteRetentionInDays')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-CorsRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageCorsRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsDoubleEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Cross-Tenant\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsCrossTenant')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Shared-Key\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountSharedKey')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Infra-Encryption\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsInfraEncryption')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Classic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageClassicToArm')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c\",\n \"policyDefinitionReferenceId\": \"Dine-Storage-Threat-Protection\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageThreatProtection')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Restrict-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountRestrictNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-NetworkRules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountNetworkRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Account-Keys-Expire\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageKeysExpiration')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-FileSync-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageFileSyncPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b\",\n \"policyDefinitionReferenceId\": \"Modify-Blob-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('modifyStorageAccountPublicEndpoint')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d\",\n \"policyDefinitionReferenceId\": \"Modify-Storage-Account-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsModifyDisablePublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#35": "{\n \"name\": \"Enforce-Guardrails-Synapse\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Synapse workspaces\",\n \"description\": \"This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Synapse\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"synapseLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseManagedVnet\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseDataTraffic\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTenants\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseAllowedTenantIds\": {\n \"type\": \"array\",\n \"defaultValue\": [\n \"[[subscription().tenantId]\"\n ]\n },\n \"synapseFwRules\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"synapseModifyLocalAuth\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseDefender\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"synapseModifyTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"synapseModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6\",\n \"policyDefinitionReferenceId\": \"Dine-Synapse-Defender\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDefender')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Fw-Rules\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseFwRules')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tenant-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTenants')]\"\n },\n \"allowedTenantIds\": {\n \"value\": \"[[parameters('synapseAllowedTenantIds')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Data-Traffic\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseDataTraffic')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Managed-Vnet\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseManagedVnet')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Local-Auth\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseLocalAuth')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a\",\n \"policyDefinitionReferenceId\": \"Modify-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#36": "{\n \"name\": \"Enforce-Guardrails-VirtualDesktop\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce recommended guardrails for Virtual Desktop\",\n \"description\": \"This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Desktop Virtualization\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"avdWorkspaceModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolModifyPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Modify\",\n \"allowedValues\": [\n \"Modify\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f\",\n \"policyDefinitionReferenceId\": \"Modify-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspaceModifyPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d\",\n \"policyDefinitionReferenceId\": \"Modify-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolModifyPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#37": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"5.2.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registries with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"PostgreSQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n \"description\": \"This policy denies creation of PostgreSQL Flexible DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"postgreSqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for PostgreSQL servers\",\n \"description\": \"This policy denies creation of PostgreSQL DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MySQLFlexPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MlPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"RedisCachePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BotServicePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Bot Service\",\n \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AutomationPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Automation accounts\",\n \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be set to 'isolated only' mode\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AppConfigPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Configuration\",\n \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"FunctionAppSlotPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Function apps\",\n \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for App Service apps\",\n \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ApiManPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for API Management services\",\n \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n },\n \"ContainerAppsEnvironmentDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Container Apps environment should disable public network access\",\n \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AsrVaultDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Azure Recovery Services vaults should disable public network access\",\n \"description\": \"This policy denies creation of Azure Recovery Services vaults with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"logicAppPublicNetworkAccessEffect\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"appSlotsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"cognitiveSearchPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"managedDiskPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"containerAppsPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventGridTopicPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"keyVaultManagedHsmDisablePublicNetwork\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"mySqlPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveServicesPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDisablePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsPublicAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapsePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdHostPoolPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"avdWorkspacePublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"grafanaPublicNetworkAccess\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-PostgreSql-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('postgreSqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppSlotsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppSlotPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"AsrVaultDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AsrVaultDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Public-Network-Access\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppPublicNetworkAccessEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622\",\n \"policyDefinitionReferenceId\": \"Deny-AppSlots-Public\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appSlotsPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094\",\n \"policyDefinitionReferenceId\": \"Deny-ManagedDisk-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('managedDiskPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45\",\n \"policyDefinitionReferenceId\": \"Deny-EventGrid-Topic-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventGridTopicPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f\",\n \"policyDefinitionReferenceId\": \"Deny-KV-Hms-PublicNetwork\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('keyVaultManagedHsmDisablePublicNetwork')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095\",\n \"policyDefinitionReferenceId\": \"Deny-MySql-Public-Network-Access\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('mySqlPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Public-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3\",\n \"policyDefinitionReferenceId\": \"Deny-Cognitive-Services-Network-Access\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveServicesNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-PublicEndpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDisablePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Public-Endpoint\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Public-Access\",\n \"definitionVersion\": \"3.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsPublicAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Public-Network-Access\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapsePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd\",\n \"policyDefinitionReferenceId\": \"Deny-Workspace-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdWorkspacePublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334\",\n \"policyDefinitionReferenceId\": \"Deny-Hostpool-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('avdHostPoolPublicNetworkAccess')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628\",\n \"policyDefinitionReferenceId\": \"Deny-Grafana-PublicNetworkAccess\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('grafanaPublicNetworkAccess')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#38": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. This policy set is superseded by built-in initiative https://www.azadvertizer.net/azpolicyinitiativesadvertizer/0884adba-2312-4468-abeb-5422caed1038.html.\",\n \"metadata\": {\n \"deprecated\": true,\n \"version\": \"2.2.0-deprecated\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsDestinationType\": {\n \"type\": \"String\",\n \"defaultValue\": \"AzureDiagnostics\",\n \"allowedValues\": [\n \"AzureDiagnostics\",\n \"Dedicated\"\n ],\n \"metadata\": {\n \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AVDScalingPlansLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"logAnalyticsDestinationType\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#39": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html\",\n \"metadata\": {\n \"version\": \"7.0.0-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Deploy-MDFC-Config_20240319\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"default\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForApis\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForApis\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForApis')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#4": "{\n \"name\": \"Enforce-EncryptTransit\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html\",\n \"metadata\": {\n \"version\": \"2.1.0-deprecated\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"Enforce-EncryptTransit_20240509\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageminimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"StorageHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }", - "$fxv#40": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"2.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"createResourceGroup\":{\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Create resource group\",\n \"description\": \"If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group.\"\n },\n \"defaultValue\": true,\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"createResourceGroup\": {\n \"value\": \"[[parameters('createResourceGroup')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#41": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.3.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"dnsZoneSubscriptionId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Subscription Id\",\n \"description\": \"The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceGroupName\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Microsoft.Network/privateDnsZones\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneRegion\": {\n \"type\": \"string\",\n \"defaultValue\": \"changeme\",\n \"metadata\": {\n \"displayName\": \"Region\",\n \"description\": \"The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnzZoneRegionShortNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"changeme\": \"changeme\",\n \"australiacentral\" : \"acl\",\n \"australiacentral2\" : \"acl2\",\n \"australiaeast\" : \"ae\",\n \"australiasoutheast\" : \"ase\",\n \"brazilsoutheast\" : \"bse\",\n \"brazilsouth\" : \"brs\",\n \"canadacentral\" : \"cnc\",\n \"canadaeast\" : \"cne\",\n \"centralindia\" : \"inc\",\n \"centralus\" : \"cus\",\n \"centraluseuap\" : \"ccy\",\n \"chilecentral\" : \"clc\",\n \"eastasia\" : \"ea\",\n \"eastus\" : \"eus\",\n \"eastus2\" : \"eus2\",\n \"eastus2euap\" : \"ecy\",\n \"francecentral\" : \"frc\",\n \"francesouth\" : \"frs\",\n \"germanynorth\" : \"gn\",\n \"germanywestcentral\" : \"gwc\",\n \"israelcentral\" : \"ilc\",\n \"italynorth\" : \"itn\",\n \"japaneast\" : \"jpe\",\n \"japanwest\" : \"jpw\",\n \"koreacentral\" : \"krc\",\n \"koreasouth\" : \"krs\",\n \"malaysiasouth\" : \"mys\",\n \"malaysiawest\" : \"myw\",\n \"mexicocentral\" : \"mxc\",\n \"newzealandnorth\" : \"nzn\",\n \"northcentralus\" : \"ncus\",\n \"northeurope\" : \"ne\",\n \"norwayeast\" : \"nwe\",\n \"norwaywest\" : \"nww\",\n \"polandcentral\" : \"plc\",\n \"qatarcentral\" : \"qac\",\n \"southafricanorth\" : \"san\",\n \"southafricawest\" : \"saw\",\n \"southcentralus\" : \"scus\",\n \"southeastasia\" : \"sea\",\n \"southindia\" : \"ins\",\n \"spaincentral\" : \"spc\",\n \"swedencentral\" : \"sdc\",\n \"swedensouth\" : \"sds\",\n \"switzerlandnorth\" : \"szn\",\n \"switzerlandwest\" : \"szw\",\n \"taiwannorth\" : \"twn\",\n \"uaecentral\" : \"uac\",\n \"uaenorth\" : \"uan\",\n \"uksouth\" : \"uks\",\n \"ukwest\" : \"ukw\",\n \"westcentralus\" : \"wcus\",\n \"westeurope\" : \"we\",\n \"westindia\" : \"inw\",\n \"westus\" : \"wus\",\n \"westus2\" : \"wus2\",\n \"westus3\" : \"wus3\"\n },\n \"metadata\": {\n \"displayName\": \"Region Short Name Mapping\",\n \"description\": \"Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used.\"\n }\n },\n \"dnsZoneNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"azureAcrPrivateDnsZoneId\": \"privatelink.azurecr.io\",\n \"azureAcrDataPrivateDnsZoneId\": \"{regionName}.data.privatelink.azurecr.io\",\n \"azureAppPrivateDnsZoneId\": \"privatelink.azconfig.io\",\n \"azureAppServicesPrivateDnsZoneId\": \"privatelink.azurewebsites.net\",\n \"azureArcGuestconfigurationPrivateDnsZoneId\": \"privatelink.guestconfiguration.azure.com\",\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": \"privatelink.his.arc.azure.com\",\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": \"privatelink.dp.kubernetesconfiguration.azure.com\",\n \"azureAsrPrivateDnsZoneId\": \"privatelink.siterecovery.windowsazure.com\",\n \"azureAutomationDSCHybridPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureAutomationWebhookPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureBatchPrivateDnsZoneId\": \"privatelink.batch.azure.com\",\n \"azureBotServicePrivateDnsZoneId\": \"privatelink.directline.botframework.com\",\n \"azureCognitiveSearchPrivateDnsZoneId\": \"privatelink.search.windows.net\",\n \"azureCognitiveServicesPrivateDnsZoneId\": \"privatelink.cognitiveservices.azure.com\",\n \"azureCosmosCassandraPrivateDnsZoneId\": \"privatelink.cassandra.cosmos.azure.com\",\n \"azureCosmosGremlinPrivateDnsZoneId\": \"privatelink.gremlin.cosmos.azure.com\",\n \"azureCosmosMongoPrivateDnsZoneId\": \"privatelink.mongo.cosmos.azure.com\",\n \"azureCosmosSQLPrivateDnsZoneId\": \"privatelink.documents.azure.com\",\n \"azureCosmosTablePrivateDnsZoneId\": \"privatelink.table.cosmos.azure.com\",\n \"azureDataExplorerPrivateDnsZoneId\": \"privatelink.{regionName}.kusto.windows.net\",\n \"azureDataFactoryPortalPrivateDnsZoneId\": \"privatelink.adf.azure.com\",\n \"azureDataFactoryPrivateDnsZoneId\": \"privatelink.datafactory.azure.net\",\n \"azureDatabricksPrivateDnsZoneId\": \"privatelink.azuredatabricks.net\",\n \"azureDiskAccessPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureEventGridDomainsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventGridTopicsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventHubNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureFilePrivateDnsZoneId\": \"privatelink.afs.azure.net\",\n \"azureHDInsightPrivateDnsZoneId\": \"privatelink.azurehdinsight.net\",\n \"azureIotCentralPrivateDnsZoneId\": \"privatelink.azureiotcentral.com\",\n \"azureIotDeviceupdatePrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotHubsPrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotPrivateDnsZoneId\": \"privatelink.azure-devices-provisioning.net\",\n \"azureKeyVaultPrivateDnsZoneId\": \"privatelink.vaultcore.azure.net\",\n \"azureKubernetesManagementPrivateDnsZoneId\": \"privatelink.{regionName}.azmk8s.io\",\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": \"privatelink.api.azureml.ms\",\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": \"privatelink.notebooks.azure.net\",\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": \"privatelink.grafana.azure.com\",\n \"azureMediaServicesKeyPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesLivePrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesStreamPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMigratePrivateDnsZoneId\": \"privatelink.prod.migration.windowsazure.com\",\n \"azureMonitorPrivateDnsZoneId1\": \"privatelink.monitor.azure.com\",\n \"azureMonitorPrivateDnsZoneId2\": \"privatelink.oms.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId3\": \"privatelink.ods.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId4\": \"privatelink.agentsvc.azure-automation.net\",\n \"azureMonitorPrivateDnsZoneId5\": \"privatelink.blob.core.windows.net\",\n \"azureRedisCachePrivateDnsZoneId\": \"privatelink.redis.cache.windows.net\",\n \"azureServiceBusNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureSignalRPrivateDnsZoneId\": \"privatelink.service.signalr.net\",\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": \"privatelink.{regionCode}.backup.windowsazure.com\",\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageBlobSecPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageDFSPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageDFSSecPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageFilePrivateDnsZoneId\": \"privatelink.file.core.windows.net\",\n \"azureStorageQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageQueueSecPrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageStaticWebPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageStaticWebSecPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageTablePrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureStorageTableSecondaryPrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureSynapseDevPrivateDnsZoneId\": \"privatelink.dev.azuresynapse.net\",\n \"azureSynapseSQLPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureSynapseSQLODPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureWebPrivateDnsZoneId\": \"privatelink.webpubsub.azure.com\"\n },\n \"metadata\": {\n \"displayName\": \"DNS Zone Names\",\n \"description\": \"The list of private DNS zone names to be used for the Azure PaaS services.\"\n }\n },\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#42": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.1.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServiceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Cmk\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#43": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#40": "{\n \"name\": \"Deploy-MDFC-Config_20240319\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"2.2.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Deploy-MDFC-Config\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"createResourceGroup\":{\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Create resource group\",\n \"description\": \"If a resource group does not exists in the scope, a new resource group will be created. If the resource group exists and this flag is set to 'true' the policy will re-deploy the resource group. Please note this will reset any Azure Tag on the resource group.\"\n },\n \"defaultValue\": true,\n \"allowedValues\": [\n true,\n false\n ]\n },\n \"enableAscForCosmosDbs\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForSqlOnVm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForOssDb\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForAppServices\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForKeyVault\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServersVulnerabilityAssessments\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"vulnerabilityAssessmentProvider\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"default\",\n \"mdeTvm\"\n ],\n \"defaultValue\": \"mdeTvm\",\n \"metadata\": {\n \"displayName\": \"Vulnerability assessment provider type\",\n \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n }\n },\n \"enableAscForCspm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableTvmCheck\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForOssDb')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n },\n \"vaType\": {\n \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForAppServices')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n },\n \"logAnalyticsWorkspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForKeyVault')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForCspm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForCspm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\": {\n \"value\": \"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"createResourceGroup\": {\n \"value\": \"[[parameters('createResourceGroup')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"migrateToMdeTvm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableTvmCheck')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#41": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"2.4.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"dnsZoneSubscriptionId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Subscription Id\",\n \"description\": \"The subscription id where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceGroupName\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"The resource group where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneResourceType\": {\n \"type\": \"string\",\n \"defaultValue\": \"Microsoft.Network/privateDnsZones\",\n \"metadata\": {\n \"displayName\": \"Resource Type\",\n \"description\": \"The resource type where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnsZoneRegion\": {\n \"type\": \"string\",\n \"defaultValue\": \"changeme\",\n \"metadata\": {\n \"displayName\": \"Region\",\n \"description\": \"The region where the private DNS zones are deployed. If this is specified, it will override any individual private DNS zone resource ids specified.\"\n }\n },\n \"dnzZoneRegionShortNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"changeme\": \"changeme\",\n \"australiacentral\" : \"acl\",\n \"australiacentral2\" : \"acl2\",\n \"australiaeast\" : \"ae\",\n \"australiasoutheast\" : \"ase\",\n \"brazilsoutheast\" : \"bse\",\n \"brazilsouth\" : \"brs\",\n \"canadacentral\" : \"cnc\",\n \"canadaeast\" : \"cne\",\n \"centralindia\" : \"inc\",\n \"centralus\" : \"cus\",\n \"centraluseuap\" : \"ccy\",\n \"chilecentral\" : \"clc\",\n \"eastasia\" : \"ea\",\n \"eastus\" : \"eus\",\n \"eastus2\" : \"eus2\",\n \"eastus2euap\" : \"ecy\",\n \"francecentral\" : \"frc\",\n \"francesouth\" : \"frs\",\n \"germanynorth\" : \"gn\",\n \"germanywestcentral\" : \"gwc\",\n \"israelcentral\" : \"ilc\",\n \"italynorth\" : \"itn\",\n \"japaneast\" : \"jpe\",\n \"japanwest\" : \"jpw\",\n \"koreacentral\" : \"krc\",\n \"koreasouth\" : \"krs\",\n \"malaysiasouth\" : \"mys\",\n \"malaysiawest\" : \"myw\",\n \"mexicocentral\" : \"mxc\",\n \"newzealandnorth\" : \"nzn\",\n \"northcentralus\" : \"ncus\",\n \"northeurope\" : \"ne\",\n \"norwayeast\" : \"nwe\",\n \"norwaywest\" : \"nww\",\n \"polandcentral\" : \"plc\",\n \"qatarcentral\" : \"qac\",\n \"southafricanorth\" : \"san\",\n \"southafricawest\" : \"saw\",\n \"southcentralus\" : \"scus\",\n \"southeastasia\" : \"sea\",\n \"southindia\" : \"ins\",\n \"spaincentral\" : \"spc\",\n \"swedencentral\" : \"sdc\",\n \"swedensouth\" : \"sds\",\n \"switzerlandnorth\" : \"szn\",\n \"switzerlandwest\" : \"szw\",\n \"taiwannorth\" : \"twn\",\n \"uaecentral\" : \"uac\",\n \"uaenorth\" : \"uan\",\n \"uksouth\" : \"uks\",\n \"ukwest\" : \"ukw\",\n \"westcentralus\" : \"wcus\",\n \"westeurope\" : \"we\",\n \"westindia\" : \"inw\",\n \"westus\" : \"wus\",\n \"westus2\" : \"wus2\",\n \"westus3\" : \"wus3\"\n },\n \"metadata\": {\n \"displayName\": \"Region Short Name Mapping\",\n \"description\": \"Mapping of region to private DNS zone resource id. If the region is not specified, the default private DNS zone resource id will be used.\"\n }\n },\n \"dnsZoneNames\": {\n \"type\": \"object\",\n \"defaultValue\": {\n \"azureAcrPrivateDnsZoneId\": \"privatelink.azurecr.io\",\n \"azureAcrDataPrivateDnsZoneId\": \"{regionName}.data.privatelink.azurecr.io\",\n \"azureAppPrivateDnsZoneId\": \"privatelink.azconfig.io\",\n \"azureAppServicesPrivateDnsZoneId\": \"privatelink.azurewebsites.net\",\n \"azureArcGuestconfigurationPrivateDnsZoneId\": \"privatelink.guestconfiguration.azure.com\",\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": \"privatelink.his.arc.azure.com\",\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": \"privatelink.dp.kubernetesconfiguration.azure.com\",\n \"azureAsrPrivateDnsZoneId\": \"privatelink.siterecovery.windowsazure.com\",\n \"azureAutomationDSCHybridPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureAutomationWebhookPrivateDnsZoneId\": \"privatelink.azure-automation.net\",\n \"azureBatchPrivateDnsZoneId\": \"privatelink.batch.azure.com\",\n \"azureBotServicePrivateDnsZoneId\": \"privatelink.directline.botframework.com\",\n \"azureCognitiveSearchPrivateDnsZoneId\": \"privatelink.search.windows.net\",\n \"azureCognitiveServicesPrivateDnsZoneId\": \"privatelink.cognitiveservices.azure.com\",\n \"azureCosmosCassandraPrivateDnsZoneId\": \"privatelink.cassandra.cosmos.azure.com\",\n \"azureCosmosGremlinPrivateDnsZoneId\": \"privatelink.gremlin.cosmos.azure.com\",\n \"azureCosmosMongoPrivateDnsZoneId\": \"privatelink.mongo.cosmos.azure.com\",\n \"azureCosmosSQLPrivateDnsZoneId\": \"privatelink.documents.azure.com\",\n \"azureCosmosTablePrivateDnsZoneId\": \"privatelink.table.cosmos.azure.com\",\n \"azureDataExplorerPrivateDnsZoneId\": \"privatelink.{regionName}.kusto.windows.net\",\n \"azureDataFactoryPortalPrivateDnsZoneId\": \"privatelink.adf.azure.com\",\n \"azureDataFactoryPrivateDnsZoneId\": \"privatelink.datafactory.azure.net\",\n \"azureDatabricksPrivateDnsZoneId\": \"privatelink.azuredatabricks.net\",\n \"azureDiskAccessPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureEventGridDomainsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventGridTopicsPrivateDnsZoneId\": \"privatelink.eventgrid.azure.net\",\n \"azureEventHubNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureFilePrivateDnsZoneId\": \"privatelink.afs.azure.net\",\n \"azureHDInsightPrivateDnsZoneId\": \"privatelink.azurehdinsight.net\",\n \"azureIotCentralPrivateDnsZoneId\": \"privatelink.azureiotcentral.com\",\n \"azureIotDeviceupdatePrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotHubsPrivateDnsZoneId\": \"privatelink.azure-devices.net\",\n \"azureIotPrivateDnsZoneId\": \"privatelink.azure-devices-provisioning.net\",\n \"azureKeyVaultPrivateDnsZoneId\": \"privatelink.vaultcore.azure.net\",\n \"azureKubernetesManagementPrivateDnsZoneId\": \"privatelink.{regionName}.azmk8s.io\",\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": \"privatelink.api.azureml.ms\",\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": \"privatelink.notebooks.azure.net\",\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": \"privatelink.grafana.azure.com\",\n \"azureMediaServicesKeyPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesLivePrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMediaServicesStreamPrivateDnsZoneId\": \"privatelink.media.azure.net\",\n \"azureMigratePrivateDnsZoneId\": \"privatelink.prod.migration.windowsazure.com\",\n \"azureMonitorPrivateDnsZoneId1\": \"privatelink.monitor.azure.com\",\n \"azureMonitorPrivateDnsZoneId2\": \"privatelink.oms.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId3\": \"privatelink.ods.opinsights.azure.com\",\n \"azureMonitorPrivateDnsZoneId4\": \"privatelink.agentsvc.azure-automation.net\",\n \"azureMonitorPrivateDnsZoneId5\": \"privatelink.blob.core.windows.net\",\n \"azureRedisCachePrivateDnsZoneId\": \"privatelink.redis.cache.windows.net\",\n \"azureServiceBusNamespacePrivateDnsZoneId\": \"privatelink.servicebus.windows.net\",\n \"azureSignalRPrivateDnsZoneId\": \"privatelink.service.signalr.net\",\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": \"privatelink.{regionCode}.backup.windowsazure.com\",\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageBlobPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageBlobSecPrivateDnsZoneId\": \"privatelink.blob.core.windows.net\",\n \"azureStorageDFSPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageDFSSecPrivateDnsZoneId\": \"privatelink.dfs.core.windows.net\",\n \"azureStorageFilePrivateDnsZoneId\": \"privatelink.file.core.windows.net\",\n \"azureStorageQueuePrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageQueueSecPrivateDnsZoneId\": \"privatelink.queue.core.windows.net\",\n \"azureStorageStaticWebPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageStaticWebSecPrivateDnsZoneId\": \"privatelink.web.core.windows.net\",\n \"azureStorageTablePrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureStorageTableSecondaryPrivateDnsZoneId\": \"privatelink.table.core.windows.net\",\n \"azureSynapseDevPrivateDnsZoneId\": \"privatelink.dev.azuresynapse.net\",\n \"azureSynapseSQLPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureSynapseSQLODPrivateDnsZoneId\": \"privatelink.sql.azuresynapse.net\",\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": \"privatelink.wvd.microsoft.com\",\n \"azureWebPrivateDnsZoneId\": \"privatelink.webpubsub.azure.com\"\n },\n \"metadata\": {\n \"displayName\": \"DNS Zone Names\",\n \"description\": \"The list of private DNS zone names to be used for the Azure PaaS services.\"\n }\n },\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationWebhookPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosMongoPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosCassandraPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosGremlinPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCosmosTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDataFactoryPortalPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDatabricksPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureHDInsightPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMigratePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMigratePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageBlobSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageQueueSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageDFSSecPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseSQLODPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSynapseDevPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesKeyPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesLivePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMediaServicesStreamPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId1\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId2\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId3\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId4\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMonitorPrivateDnsZoneId5\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspaceSecondPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBotServicePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBotServicePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureManagedGrafanaWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureManagedGrafanaWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopHostpoolPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopHostpoolPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureVirtualDesktopWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureVirtualDesktopWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotDeviceupdatePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotDeviceupdatePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcGuestconfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcGuestconfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcHybridResourceProviderPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcHybridResourceProviderPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureArcKubernetesConfigurationPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureArcKubernetesConfigurationPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotCentralPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotCentralPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTablePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTablePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureStorageTableSecondaryPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureStorageTableSecondaryPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBackupPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBackupPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryBlobPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryBlobPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSiteRecoveryQueuePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSiteRecoveryQueuePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Webhook\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"DSCAndHybridWorker\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"SQL\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"MongoDB\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Cassandra\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Gremlin\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"Table\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"dataFactory\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"listOfGroupIds\": {\n \"value\": [\n \"portal\"\n ]\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-UI-Api\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"databricks_ui_api\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databricks-Browser-AuthN\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"browser_authentication\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"cluster\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Sql\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"SqlOnDemand\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"targetSubResource\": {\n \"value\": \"Dev\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"keydelivery\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"liveevent\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"groupId\": {\n \"value\": \"streamingendpoint\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId1\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId2\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId2'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId2, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId3\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId3'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId3, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId4\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId4'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId4, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneId5\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId5'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId5, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"secondPrivateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspaceSecondPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspaceSecondPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-BotService\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ManagedGrafanaWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopHostpool\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"connection\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-VirtualDesktopWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateEndpointGroupId\": {\n \"value\": \"feed\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTDeviceupdate\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Arc\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneIDForGuestConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForHybridResourceProvider\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcHybridResourceProviderPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcHybridResourceProviderPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZoneIDForKubernetesConfiguration\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcKubernetesConfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcKubernetesConfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTCentral\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Table-Secondary\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\":{\n \"privateDnsZoneId\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery-Backup\",\n \"policyDefinitionId\":\"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\":{\n \"privateDnsZone-Backup\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Blob\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"privateDnsZone-Queue\": {\n \"value\": \"[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#42": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"3.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"HealthcareAPIsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n },\n \"AutomationAccountCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"BackupCmkEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"cognitiveSearchCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"osAndDataDiskCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerInstanceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adxCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"adfCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubNamespacesCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"eventHubPremiumCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"serviceBusDenyCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlManagedCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageTableCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsEncryptionCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageQueueCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"botServiceCmk\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"audit\",\n \"Deny\",\n \"deny\",\n \"Disabled\",\n \"disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b\",\n \"policyDefinitionReferenceId\": \"Deny-Aa-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AutomationAccountCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671\",\n \"policyDefinitionReferenceId\": \"Deny-Backup-Cmk\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BackupCmkEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f\",\n \"policyDefinitionReferenceId\": \"Deny-CognitiveSearch-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('cognitiveSearchCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0\",\n \"policyDefinitionReferenceId\": \"Deny-OsAndDataDisk-Cmk\",\n \"definitionVersion\": \"3.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('osAndDataDiskCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerInstance-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerInstanceCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa\",\n \"policyDefinitionReferenceId\": \"Deny-ADX-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adxCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e\",\n \"policyDefinitionReferenceId\": \"Deny-Adf-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('adfCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubNamespacesCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK\",\n \"policyDefinitionReferenceId\": \"Deny-EH-Premium-CMK\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubPremiumCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a\",\n \"policyDefinitionReferenceId\": \"Deny-Sb-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('serviceBusDenyCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Cmk\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Table-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageTableCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Encryption-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsEncryptionCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Queue-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageQueueCmk')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f\",\n \"policyDefinitionReferenceId\": \"Deny-BotService-Cmk\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('botServiceCmk')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#43": "{\n \"name\": \"Enforce-ACSB\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Guest Configuration\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"includeArcMachines\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"metadata\": {\n \"displayName\": \"Include Arc connected servers\",\n \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n },\n \"defaultValue\": \"true\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"AuditIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"GcIdentity\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n \"definitionVersion\": \"3.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"GcWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LinAcsb\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"IncludeArcMachines\": {\n \"value\": \"[[parameters('includeArcMachines')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#44": "{\n \"name\": \"Deploy-MDFC-DefenderSQL-AMA\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"[Deprecated]: Configure SQL VM and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LAW\",\n \"description\": \"Initiative is deprecated as the built-in initiative now supports bringing your own UAMI and DCR. Superseded by https://www.azadvertizer.net/azpolicyinitiativesadvertizer/de01d381-bae9-4670-8870-786f89f49e26.html\",\n \"metadata\": {\n \"version\": \"1.0.1-deprecated\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"deprecated\": true,\n \"supersededBy\": \"de01d381-bae9-4670-8870-786f89f49e26\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"workspaceRegion\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace region\",\n \"description\": \"Region of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"location\"\n }\n },\n \"dcrName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Name\",\n \"description\": \"Name of the Data Collection Rule.\"\n }\n },\n \"dcrResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Resource Group\",\n \"description\": \"Resource Group of the Data Collection Rule.\"\n }\n },\n \"dcrId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Data Collection Rule Id\",\n \"description\": \"Id of the Data Collection Rule.\"\n }\n },\n \"userWorkspaceResourceId\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Workspace Resource Id\",\n \"description\": \"Workspace resource Id of the Log Analytics workspace destination for the Data Collection Rule.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"Enable collection of SQL queries for security research\",\n \"description\": \"Enable or disable the collection of SQL queries for security research.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"identityResourceGroup\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Identity Resource Group\",\n \"description\": \"The name of the resource group created by the policy.\"\n },\n \"defaultValue\": \"\"\n },\n \"userAssignedIdentityName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"User Assigned Managed Identity Name\",\n \"description\": \"The name of the user assigned managed identity.\"\n },\n \"defaultValue\": \"\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3592ff98-9787-443a-af59-4505d0fe0786\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/65503269-6a54-4553-8a28-0065a8e6d929\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-Sql-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlArcDcrAssociation\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-Arc-SQL-DCR-Association\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlAma\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-AMA\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"identityResourceGroup\": {\n \"value\": \"[[parameters('identityResourceGroup')]\"\n },\n \"userAssignedIdentityName\": {\n \"value\": \"[[parameters('userAssignedIdentityName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsql\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlMdsqlDcr\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MDFC-SQL-DefenderSQL-DCR\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"Disabled\"\n },\n \"userWorkspaceResourceId\": {\n \"value\": \"[[parameters('userWorkspaceResourceId')]\"\n },\n \"workspaceRegion\": {\n \"value\": \"[[parameters('workspaceRegion')]\"\n },\n \"enableCollectionOfSqlQueriesForSecurityResearch\": {\n \"value\": \"[[parameters('enableCollectionOfSqlQueriesForSecurityResearch')]\"\n },\n \"dcrName\": {\n \"value\": \"[[parameters('dcrName')]\"\n },\n \"dcrResourceGroup\": {\n \"value\": \"[[parameters('dcrResourceGroup')]\"\n },\n \"dcrId\": {\n \"value\": \"[[parameters('dcrId')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#45": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#45": "{\n \"name\": \"Enforce-Backup\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce enhanced recovery and backup policies\",\n \"description\": \"Enforce enhanced recovery and backup policies on assigned scopes.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Backup\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"version\": \"1.0.0\",\n \"parameters\": {\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Audit\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"checkLockedImmutabilityOnly\",\n \"description\": \"This parameter checks if Immutability is locked for Backup Vaults in scope. Selecting 'true' will mark only vaults with Immutability 'Locked' as compliant. Selecting 'false' will mark vaults that have Immutability either 'Enabled' or 'Locked' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"type\": \"Boolean\",\n \"metadata\": {\n \"displayName\": \"CheckAlwaysOnSoftDeleteOnly\",\n \"description\": \"This parameter checks if Soft Delete is 'Locked' for Backup Vaults in scope. Selecting 'true' will mark only vaults with Soft Delete 'AlwaysOn' as compliant. Selecting 'false' will mark vaults that have Soft Delete either 'On' or 'AlwaysOn' as compliant.\"\n },\n \"allowedValues\": [\n true,\n false\n ],\n \"defaultValue\": false\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabiltyOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-Immutability\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkLockedImmutabilityOnly\": {\n \"value\": \"[[parameters('checkLockedImmutabilityOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-SoftDelete\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n },\n \"checkAlwaysOnSoftDeleteOnly\": {\n \"value\": \"[[parameters('checkAlwaysOnSoftDeleteOnly')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupBVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BackupRVault-MUA\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a\",\n \"definitionVersion\": \"1.*.*-preview\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#46": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#47": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#48": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#49": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureWebPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureWebPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", + "$fxv#5": "{\n \"name\": \"Enforce-EncryptTransit_20240509\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"replacesPolicy\": \"Enforce-EncryptTransit\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"AppServiceHttpEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceTlsVersionEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n \"description\": \"App Service. Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n }\n },\n \"AppServiceminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.3\",\n \"1.2\",\n \"1.1\",\n \"1.0\"\n ],\n \"metadata\": {\n \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n \"description\": \"App Service. Select version minimum TLS version for a Web App config to enforce\"\n }\n },\n \"APIAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"FunctionServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"FunctionAppTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Function App. Configure Function apps to use the latest TLS version.\",\n \"description\": \"App Service Function App. Periodically, newer versions are released for TLS either due to security flaws, include additional functionality, and enhance speed. Upgrade to the latest TLS version for Function apps to take advantage of security fixes, if any, and/or new functionalities of the latest version.\"\n },\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"LogicAppTlsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceLatestTlsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ]\n },\n \"WebAppServiceHttpsEffect\": {\n \"metadata\": {\n \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"AKSIngressHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"deny\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ]\n },\n \"MySQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"MySQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"MySQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"PostgreSQLEnableSSLDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"PostgreSQLEnableSSLEffect\": {\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"PostgreSQLminimalTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_0\",\n \"TLS1_1\",\n \"TLSEnforcementDisabled\"\n ],\n \"metadata\": {\n \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n \"description\": \"PostgreSQL database servers. Select version minimum TLS version Azure Database for MySQL server to enforce\"\n }\n },\n \"RedisTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Append\",\n \"allowedValues\": [\n \"Append\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"RedisMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n \"description\": \"Select version minimum TLS version for a Azure Cache for Redis to enforce\"\n }\n },\n \"RedisTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"SQLManagedInstanceTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLManagedInstanceMinTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n \"description\": \"Select version minimum TLS version for Azure Managed Instanceto to enforce\"\n }\n },\n \"SQLManagedInstanceTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"SQLServerTLSDeployEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n }\n },\n \"SQLServerminTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"1.2\",\n \"allowedValues\": [\n \"1.2\",\n \"1.0\",\n \"1.1\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n \"description\": \"Select version minimum TLS version for Azure SQL Database to enforce\"\n }\n },\n \"SQLServerTLSEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\",\n \"Deny\"\n ]\n },\n \"StorageDeployHttpsEnabledEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"StorageMinimumTlsVersion\": {\n \"type\": \"String\",\n \"defaultValue\": \"TLS1_2\",\n \"allowedValues\": [\n \"TLS1_2\",\n \"TLS1_1\",\n \"TLS1_0\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage Account select minimum TLS version\",\n \"description\": \"Select version minimum TLS version on Azure Storage Account to enforce\"\n }\n },\n \"ContainerAppsHttpsOnlyEffect\": {\n \"metadata\": {\n \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"logicAppHttpsEffect\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"appServiceAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ]\n },\n \"functionAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"functionAppHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"appServiceAppSlotsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"containerAppsHttps\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"eventHubMinTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"sqlManagedTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ]\n },\n \"sqlDbTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"storageAccountsTls\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"synapseTlsVersion\": {\n \"type\": \"string\",\n \"defaultValue\": \"Deny\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n },\n \"minTlsVersion\": {\n \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n \"definitionVersion\": \"8.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('RedisTLSEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n },\n \"minimalTlsVersion\": {\n \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n },\n \"minimumTlsVersion\": {\n \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"Dine-FunctionApp-Tls\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionReferenceId\": \"Deploy-LogicApp-TLS\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('LogicAppTlsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https\",\n \"policyDefinitionReferenceId\": \"Deny-LogicApp-Without-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('logicAppHttpsEffect')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063\",\n \"policyDefinitionReferenceId\": \"Dine-Function-Apps-Slots-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d\",\n \"policyDefinitionReferenceId\": \"Dine-AppService-Apps-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Apps-Https\",\n \"definitionVersion\": \"4.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df\",\n \"policyDefinitionReferenceId\": \"DINE-AppService-AppSlotTls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71\",\n \"policyDefinitionReferenceId\": \"Deny-FuncAppSlots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab\",\n \"policyDefinitionReferenceId\": \"Deny-FunctionApp-Https\",\n \"definitionVersion\": \"5.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('functionAppHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc\",\n \"policyDefinitionReferenceId\": \"Deny-AppService-Slots-Https\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('appServiceAppSlotsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n \"policyDefinitionReferenceId\": \"Deny-ContainerApps-Https\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('containerAppsHttps')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS\",\n \"policyDefinitionReferenceId\": \"Deny-EH-minTLS\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('eventHubMinTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Managed-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlManagedTlsVersion')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf\",\n \"policyDefinitionReferenceId\": \"Deny-Sql-Db-Tls\",\n \"definitionVersion\": \"2.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('sqlDbTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0\",\n \"policyDefinitionReferenceId\": \"Deny-Storage-Tls\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('storageAccountsTls')]\"\n }\n }\n },\n {\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4\",\n \"policyDefinitionReferenceId\": \"Deny-Synapse-Tls-Version\",\n \"definitionVersion\": \"1.*.*\",\n \"groupNames\": [],\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('synapseTlsVersion')]\"\n }\n }\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#50": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureChinaCloud\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"MySQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"PostgreSQLCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MySQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#51": "{\n \"name\": \"Deny-PublicPaaSEndpoints\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Public network access should be disabled for PaaS services\",\n \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"CosmosPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for CosmosDB\",\n \"description\": \"This policy denies that Cosmos database accounts are created with out public network access is disabled.\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"KeyVaultPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for KeyVault\",\n \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"SqlServerPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"StoragePublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access onStorage accounts should be disabled\",\n \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AKSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on AKS API should be disabled\",\n \"description\": \"This policy denies the creation of Azure Kubernetes Service non-private clusters\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"ACRPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure Container Registry disabled\",\n \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"AFSPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access on Azure File Sync disabled\",\n \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"BatchPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"MariaDbPublicIpDenyEffect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#52": "{\n \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"logAnalytics\": {\n \"metadata\": {\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"displayName\": \"Log Analytics workspace\",\n \"strongType\": \"omsWorkspace\"\n },\n \"type\": \"String\"\n },\n \"profileName\": {\n \"type\": \"String\",\n \"defaultValue\": \"setbypolicy\",\n \"metadata\": {\n \"displayName\": \"Profile name\",\n \"description\": \"The diagnostic settings profile name\"\n }\n },\n \"ACILogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n }\n },\n \"ACRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled.\"\n }\n },\n \"AKSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AnalysisServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIforFHIRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"APIMgmtLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ApplicationGatewayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AutomationLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BastionLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"BatchLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CDNEndpointsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CognitiveServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"CosmosLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DatabricksLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataExplorerClusterLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataFactoryLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeStoreLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"DataLakeAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridSubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventGridTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"EventSystemTopicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ExpressRouteLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FirewallLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FrontDoorLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"FunctionAppLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"HDInsightLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"IotHubLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"KeyVaultLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LoadBalancerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsISELogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"LogicAppsWFLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MariaDBLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MediaServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MlWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"MySQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkNICLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PostgreSQLLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"PowerBIEmbeddedLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"NetworkPublicIPNicLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RedisCacheLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"RelayLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SearchServicesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"ServiceBusLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SignalRLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLDBsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Databases to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLElasticPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"SQLMLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StreamAnalyticsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TimeSeriesInsightsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"TrafficManagerLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualNetworkLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VirtualMachinesLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VMSSLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VNetGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n }\n },\n \"AppServiceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"AppServiceWebappLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDAppGroupsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDWorkspaceLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"WVDHostPoolsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"StorageAccountsLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n },\n \"VWanS2SVPNGWLogAnalyticsEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"DeployIfNotExists\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n },\n \"metricsEnabled\": {\n \"value\": \"True\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n },\n \"diagnosticsSettingNameToUse\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n \"parameters\": {\n \"logAnalytics\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n },\n \"profileName\": {\n \"value\": \"[[parameters('profileName')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#53": "{\n \"name\": \"Deploy-MDFC-Config\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n \"metadata\": {\n \"version\": \"3.0.1\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"emailSecurityContact\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Security contacts email address\",\n \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n }\n },\n \"minimalSeverity\": {\n \"type\": \"string\",\n \"allowedValues\": [\n \"High\",\n \"Medium\",\n \"Low\"\n ],\n \"defaultValue\": \"High\",\n \"metadata\": {\n \"displayName\": \"Minimal severity\",\n \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n }\n },\n \"logAnalytics\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Primary Log Analytics workspace\",\n \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n \"strongType\": \"omsWorkspace\"\n }\n },\n \"ascExportResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n }\n },\n \"ascExportResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n }\n },\n \"enableAscForSql\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForDns\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForArm\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForContainers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForStorage\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n },\n \"enableAscForServers\": {\n \"type\": \"String\",\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"defenderForVM\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForServers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForStorage')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForContainers\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForContainers')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForDns\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForDns')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForArm\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForArm')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('enableAscForSql')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"securityEmailContact\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n \"parameters\": {\n \"emailSecurityContact\": {\n \"value\": \"[[parameters('emailSecurityContact')]\"\n },\n \"minimalSeverity\":{\n \"value\":\"[[parameters('minimalSeverity')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"ascExport\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n \"parameters\": {\n \"resourceGroupName\": {\n \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n },\n \"resourceGroupLocation\": {\n \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n },\n \"workspaceResourceId\": {\n \"value\": \"[[parameters('logAnalytics')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", "$fxv#54": "{\n \"name\": \"Deploy-Private-DNS-Zones\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n \"metadata\": {\n \"version\": \"1.0.1\",\n \"category\": \"Network\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"azureFilePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureFilePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureBatchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureBatchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAsrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAsrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureKeyVaultPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureSignalRPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAppServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridTopicsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureDiskAccessPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveServicesPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureIotHubsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventGridDomainsPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureRedisCachePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureAcrPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureAcrPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureEventHubNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureServiceBusNamespacePrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"azureCognitiveSearchPrivateDnsZoneId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n \"strongType\": \"Microsoft.Network/privateDnsZones\",\n \"description\": \"Private DNS Zone Identifier\"\n }\n },\n \"effect\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"DeployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"DeployIfNotExists\"\n },\n \"effect1\": {\n \"type\": \"string\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"Disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect1')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n \"parameters\": {\n \"privateDnsZoneId\": {\n \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n },\n \"effect\": {\n \"value\": \"[[parameters('effect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "$fxv#55": "{\n \"name\": \"Enforce-Encryption-CMK\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n \"metadata\": {\n \"version\": \"2.0.0\",\n \"category\": \"Encryption\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"ACRCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"AksCmkEffect\": {\n \"metadata\": {\n \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n },\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ]\n },\n \"WorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n }\n },\n \"CognitiveServicesCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"CosmosCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n }\n },\n \"DataBoxCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n }\n },\n \"StreamAnalyticsCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"audit\",\n \"allowedValues\": [\n \"audit\",\n \"deny\",\n \"disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n }\n },\n \"SynapseWorkspaceCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n }\n },\n \"StorageCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n }\n },\n \"SqlServerTDECMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n\t \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n }\n },\n \"AzureBatchCMKEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"Audit\",\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n }\n },\n \"EncryptedVMDisksEffect\": {\n \"type\": \"String\",\n \"defaultValue\": \"AuditIfNotExists\",\n \"allowedValues\": [\n \"AuditIfNotExists\",\n \"Disabled\"\n ],\n \"metadata\": {\n \"displayName\": \"Disk encryption should be applied on virtual machines\",\n \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('ACRCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AksCmkEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('CosmosCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('StorageCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}\n", - "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", - "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#8": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", - "$fxv#9": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.0.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#6": "{\n \"name\": \"Enforce-ALZ-Decomm\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Decommissioned\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [ \n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesAllowed\":{\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"listOfResourceTypesAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n }\n ", + "$fxv#7": "{\n \"name\": \"Enforce-ALZ-Sandbox\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Sandbox\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {\n \"listOfResourceTypesNotAllowed\": {\n \"type\": \"Array\",\n \"defaultValue\": [],\n \"metadata\": {\n \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n \"strongType\": \"resourceTypes\"\n }\n },\n \"effectNotAllowedResources\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n },\n \"effectDenyVnetPeering\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Enable or disable the execution of the policy\"\n },\n \"allowedValues\": [\n \"Audit\",\n \"Deny\",\n \"Disabled\"\n ],\n \"defaultValue\": \"Deny\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectNotAllowedResources')]\"\n },\n \"listOfResourceTypesNotAllowed\": {\n \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {\n \"effect\": {\n \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#8": "{\n \"name\": \"DenyAction-DeleteProtection\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Monitoring\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\",\n \"AzureChinaCloud\",\n \"AzureUSGovernment\"\n ]\n },\n \"parameters\": {},\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n \"definitionVersion\": \"1.*.*\",\n \"parameters\": {},\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", + "$fxv#9": "{\n \"name\": \"Deploy-AUM-CheckUpdates\",\n \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"scope\": null,\n \"properties\": {\n \"policyType\": \"Custom\",\n \"displayName\": \"Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines\",\n \"description\": \"Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.\",\n \"metadata\": {\n \"version\": \"1.1.0\",\n \"category\": \"Security Center\",\n \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ]\n },\n \"parameters\": {\n \"assessmentMode\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Assessment mode\",\n \"description\": \"Assessment mode for the machines.\"\n },\n \"allowedValues\": [\n \"ImageDefault\",\n \"AutomaticByPlatform\"\n ],\n \"defaultValue\": \"AutomaticByPlatform\"\n },\n \"locations\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"Machines locations\",\n \"description\": \"The list of locations from which machines need to be targeted.\",\n \"strongType\": \"location\"\n },\n \"defaultValue\": []\n },\n \"tagValues\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Tags on machines\",\n \"description\": \"The list of tags that need to matched for getting target machines.\"\n },\n \"defaultValue\": {}\n },\n \"tagOperator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Tag operator\",\n \"description\": \"Matching condition for resource tags\"\n },\n \"allowedValues\": [\n \"All\",\n \"Any\"\n ],\n \"defaultValue\": \"Any\"\n }\n },\n \"policyDefinitions\": [\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15\",\n \"definitionVersion\": \"4.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateWindows\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Windows\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n },\n {\n \"policyDefinitionReferenceId\": \"azureUpdateManagerVmArcCheckUpdateLinux\",\n \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46\",\n \"definitionVersion\": \"2.*.*\",\n \"parameters\": {\n \"assessmentMode\": {\n \"value\": \"[[parameters('assessmentMode')]\"\n },\n \"osType\": {\n \"value\": \"Linux\"\n },\n \"locations\": {\n \"value\": \"[[parameters('locations')]\"\n },\n \"tagValues\": {\n \"value\": \"[[parameters('tagValues')]\"\n },\n \"tagOperator\": {\n \"value\": \"[[parameters('tagOperator')]\"\n }\n },\n \"groupNames\": []\n }\n ],\n \"policyDefinitionGroups\": null\n }\n}", "cloudEnv": "[environment().name]", "defaultDeploymentLocationByCloudType": { "AzureCloud": "northeurope", diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json index cb10857da..234ae14a6 100644 --- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json +++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "15835468158012758308" + "version": "0.31.34.60546", + "templateHash": "17509495146756258439" } }, "parameters": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json index 324ce38f9..12d199c95 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-TrustedLaunch.json @@ -8,7 +8,7 @@ "displayName": "Audit virtual machines for Trusted Launch support", "description": "Trusted Launch improves security of a Virtual Machine which requires VM SKU, OS Disk & OS Image to support it (Gen 2). To learn more about Trusted Launch, visit https://aka.ms/trustedlaunch.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Trusted Launch", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -36,6 +36,7 @@ { "policyDefinitionReferenceId": "AuditDisksOsTrustedLaunch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b03bb370-5249-4ea4-9fce-2552e87e45fa", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -46,6 +47,7 @@ { "policyDefinitionReferenceId": "AuditTrustedLaunchEnabled", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c95b54ad-0614-4633-ab29-104b01235cbf", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json index 3c4c556a1..1490d20e1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Audit-UnusedResourcesCostOptimization.json @@ -8,7 +8,7 @@ "displayName": "Unused resources driving cost should be avoided", "description": "Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.", "metadata": { - "version": "2.0.0", + "version": "2.1.0", "category": "Cost Optimization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -59,6 +59,7 @@ { "policyDefinitionReferenceId": "AuditDisksUnusedResourcesCostOptimization", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectDisks')]" @@ -69,6 +70,7 @@ { "policyDefinitionReferenceId": "AuditPublicIpAddressesUnusedResourcesCostOptimization", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectPublicIpAddresses')]" @@ -79,6 +81,7 @@ { "policyDefinitionReferenceId": "AuditServerFarmsUnusedResourcesCostOptimization", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectServerFarms')]" @@ -89,6 +92,7 @@ { "policyDefinitionReferenceId": "AuditAzureHybridBenefitUnusedResourcesCostOptimization", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "Audit" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json index 6ce59a69e..50db605de 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deny-PublicPaaSEndpoints.json @@ -8,7 +8,7 @@ "displayName": "Public network access should be disabled for PaaS services", "description": "This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints", "metadata": { - "version": "5.1.0", + "version": "5.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -520,6 +520,7 @@ { "policyDefinitionReferenceId": "CosmosDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('CosmosPublicIpDenyEffect')]" @@ -530,6 +531,7 @@ { "policyDefinitionReferenceId": "KeyVaultDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('KeyVaultPublicIpDenyEffect')]" @@ -540,6 +542,7 @@ { "policyDefinitionReferenceId": "SqlServerDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SqlServerPublicIpDenyEffect')]" @@ -550,6 +553,7 @@ { "policyDefinitionReferenceId": "StorageDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('StoragePublicIpDenyEffect')]" @@ -560,6 +564,7 @@ { "policyDefinitionReferenceId": "AKSDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AKSPublicIpDenyEffect')]" @@ -570,6 +575,7 @@ { "policyDefinitionReferenceId": "ACRDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ACRPublicIpDenyEffect')]" @@ -580,6 +586,7 @@ { "policyDefinitionReferenceId": "AFSDenyPaasPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AFSPublicIpDenyEffect')]" @@ -590,6 +597,7 @@ { "policyDefinitionReferenceId": "PostgreSQLFlexDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48", + "definitionVersion": "3.*.*", "parameters": { "effect": { "value": "[[parameters('PostgreSQLFlexPublicIpDenyEffect')]" @@ -600,6 +608,7 @@ { "policyDefinitionReferenceId": "Deny-PostgreSql-Public-Network-Access", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b52376f7-9612-48a1-81cd-1ffe4b61032c", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -610,6 +619,7 @@ { "policyDefinitionReferenceId": "MySQLFlexDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('MySQLFlexPublicIpDenyEffect')]" @@ -620,6 +630,7 @@ { "policyDefinitionReferenceId": "BatchDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('BatchPublicIpDenyEffect')]" @@ -630,6 +641,7 @@ { "policyDefinitionReferenceId": "MariaDbDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('MariaDbPublicIpDenyEffect')]" @@ -640,6 +652,7 @@ { "policyDefinitionReferenceId": "MlDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('MlPublicIpDenyEffect')]" @@ -650,6 +663,7 @@ { "policyDefinitionReferenceId": "RedisCacheDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('RedisCachePublicIpDenyEffect')]" @@ -660,6 +674,7 @@ { "policyDefinitionReferenceId": "BotServiceDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('BotServicePublicIpDenyEffect')]" @@ -670,6 +685,7 @@ { "policyDefinitionReferenceId": "AutomationDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AutomationPublicIpDenyEffect')]" @@ -680,6 +696,7 @@ { "policyDefinitionReferenceId": "AppConfigDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AppConfigPublicIpDenyEffect')]" @@ -690,6 +707,7 @@ { "policyDefinitionReferenceId": "FunctionDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('FunctionPublicIpDenyEffect')]" @@ -700,6 +718,7 @@ { "policyDefinitionReferenceId": "FunctionAppSlotsDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/11c82d0c-db9f-4d7b-97c5-f3f9aa957da2", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('FunctionAppSlotPublicIpDenyEffect')]" @@ -710,6 +729,7 @@ { "policyDefinitionReferenceId": "AseDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3", + "definitionVersion": "3.*.*", "parameters": { "effect": { "value": "[[parameters('AsePublicIpDenyEffect')]" @@ -720,6 +740,7 @@ { "policyDefinitionReferenceId": "AsDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AsPublicIpDenyEffect')]" @@ -730,6 +751,7 @@ { "policyDefinitionReferenceId": "ApiManDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ApiManPublicIpDenyEffect')]" @@ -740,6 +762,7 @@ { "policyDefinitionReferenceId": "ContainerAppsEnvironmentDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ContainerAppsEnvironmentDenyEffect')]" @@ -750,6 +773,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/783ea2a8-b8fd-46be-896a-9ae79643a0b1", "policyDefinitionReferenceId": "Deny-ContainerApps-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -760,6 +784,7 @@ { "policyDefinitionReferenceId": "AsrVaultDenyPublicIP", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9ebbbba3-4d65-4da9-bb67-b22cfaaff090", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('AsrVaultDenyEffect')]" @@ -770,6 +795,7 @@ { "policyDefinitionReferenceId": "Deny-LogicApp-Public-Network-Access", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApp-Public-Network", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -780,6 +806,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/701a595d-38fb-4a66-ae6d-fb3735217622", "policyDefinitionReferenceId": "Deny-AppSlots-Public", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -790,6 +817,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee980b6d-0eca-4501-8d54-f6290fd512c3", "policyDefinitionReferenceId": "Deny-CognitiveSearch-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -800,6 +828,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8405fdab-1faf-48aa-b702-999c9c172094", "policyDefinitionReferenceId": "Deny-ManagedDisk-Public-Network-Access", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -810,6 +839,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43bc7be6-5e69-4b0d-a2bb-e815557ca673", "policyDefinitionReferenceId": "Deny-ADX-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -820,6 +850,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1cf164be-6819-4a50-b8fa-4bcaa4f98fb6", "policyDefinitionReferenceId": "Deny-Adf-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -830,6 +861,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f8f774be-6aee-492a-9e29-486ef81f3a68", "policyDefinitionReferenceId": "Deny-EventGrid-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -840,6 +872,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1adadefe-5f21-44f7-b931-a59b54ccdb45", "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -850,6 +883,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0602787f-9896-402a-a6e1-39ee63ee435e", "policyDefinitionReferenceId": "Deny-EH-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -860,6 +894,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19ea9d63-adee-4431-a95e-1913c6c1c75f", "policyDefinitionReferenceId": "Deny-KV-Hms-PublicNetwork", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -870,6 +905,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d9844e8a-1437-4aeb-a32c-0c992f056095", "policyDefinitionReferenceId": "Deny-MySql-Public-Network-Access", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -880,6 +916,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0725b4dd-7e76-479c-a735-68e7ee23d5ca", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Public-Network-Access", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -890,6 +927,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Network-Access", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -900,6 +938,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cbd11fd3-3002-4907-b6c8-579f0e700e13", "policyDefinitionReferenceId": "Deny-Sb-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -910,6 +949,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9dfea752-dd46-4766-aed1-c355fa93fb91", "policyDefinitionReferenceId": "Deny-Sql-Managed-Public-Endpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -920,6 +960,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751", "policyDefinitionReferenceId": "Deny-Storage-Public-Access", + "definitionVersion": "3.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -930,6 +971,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/38d8df46-cf4e-4073-8e03-48c24b29de0d", "policyDefinitionReferenceId": "Deny-Synapse-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -940,6 +982,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ac3038-c07a-4b92-860d-29e270a4f3cd", "policyDefinitionReferenceId": "Deny-Workspace-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -950,6 +993,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c25dcf31-878f-4eba-98eb-0818fdc6a334", "policyDefinitionReferenceId": "Deny-Hostpool-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -960,6 +1004,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e8775d5a-73b7-4977-a39b-833ef0114628", "policyDefinitionReferenceId": "Deny-Grafana-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json b/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json index 5bd4ca7e1..bba71fab1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/DenyAction-DeleteProtection.json @@ -8,7 +8,7 @@ "displayName": "DenyAction Delete - Activity Log Settings and Diagnostic Settings", "description": "Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Monitoring", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -22,12 +22,14 @@ { "policyDefinitionReferenceId": "DenyActionDelete-DiagnosticSettings", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs", + "definitionVersion": "1.*.*", "parameters": {}, "groupNames": [] }, { "policyDefinitionReferenceId": "DenyActionDelete-ActivityLogSettings", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs", + "definitionVersion": "1.*.*", "parameters": {}, "groupNames": [] } diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json index 21d11434e..d0d228dd3 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-AUM-CheckUpdates.json @@ -8,7 +8,7 @@ "displayName": "Configure periodic checking for missing system updates on azure virtual machines and Arc-enabled virtual machines", "description": "Configure auto-assessment (every 24 hours) for OS updates. You can control the scope of assignment according to machine subscription, resource group, location or tag. Learn more about this for Windows: https://aka.ms/computevm-windowspatchassessmentmode, for Linux: https://aka.ms/computevm-linuxpatchassessmentmode.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -62,6 +62,7 @@ { "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateWindows", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15", + "definitionVersion": "4.*.*", "parameters": { "assessmentMode": { "value": "[[parameters('assessmentMode')]" @@ -84,6 +85,7 @@ { "policyDefinitionReferenceId": "azureUpdateManagerVmCheckUpdateLinux", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15", + "definitionVersion": "4.*.*", "parameters": { "assessmentMode": { "value": "[[parameters('assessmentMode')]" @@ -106,6 +108,7 @@ { "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateWindows", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46", + "definitionVersion": "2.*.*", "parameters": { "assessmentMode": { "value": "[[parameters('assessmentMode')]" @@ -128,6 +131,7 @@ { "policyDefinitionReferenceId": "azureUpdateManagerVmArcCheckUpdateLinux", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46", + "definitionVersion": "2.*.*", "parameters": { "assessmentMode": { "value": "[[parameters('assessmentMode')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json index d87b4d22e..e41c91ec4 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config_20240319.json @@ -8,7 +8,7 @@ "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud configuration", "metadata": { - "version": "2.1.0", + "version": "2.2.0", "category": "Security Center", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-MDFC-Config", @@ -226,12 +226,25 @@ "displayName": "Effect", "description": "Enable or disable the execution of the policy" } + }, + "enableTvmCheck": { + "type": "String", + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } } }, "policyDefinitions": [ { "policyDefinitionReferenceId": "defenderForOssDb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForOssDb')]" @@ -242,6 +255,7 @@ { "policyDefinitionReferenceId": "defenderForVM", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForServers')]" @@ -252,6 +266,7 @@ { "policyDefinitionReferenceId": "defenderForVMVulnerabilityAssessment", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b", + "definitionVersion": "4.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForServersVulnerabilityAssessments')]" @@ -265,6 +280,7 @@ { "policyDefinitionReferenceId": "defenderForSqlServerVirtualMachines", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForSqlOnVm')]" @@ -275,6 +291,7 @@ { "policyDefinitionReferenceId": "defenderForAppServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForAppServices')]" @@ -285,6 +302,7 @@ { "policyDefinitionReferenceId": "defenderForStorageAccountsV2", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForStorage')]" @@ -295,6 +313,7 @@ { "policyDefinitionReferenceId": "defenderforContainers", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForContainers')]" @@ -305,6 +324,7 @@ { "policyDefinitionReferenceId": "defenderforKubernetes", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5", + "definitionVersion": "4.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForContainers')]" @@ -318,6 +338,7 @@ { "policyDefinitionReferenceId": "azurePolicyForKubernetes", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", + "definitionVersion": "4.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForContainers')]" @@ -328,6 +349,7 @@ { "policyDefinitionReferenceId": "defenderForKeyVaults", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForKeyVault')]" @@ -338,6 +360,7 @@ { "policyDefinitionReferenceId": "defenderForArm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForArm')]" @@ -348,6 +371,7 @@ { "policyDefinitionReferenceId": "defenderForSqlPaas", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForSql')]" @@ -358,6 +382,7 @@ { "policyDefinitionReferenceId": "defenderForCosmosDbs", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForCosmosDbs')]" @@ -368,6 +393,7 @@ { "policyDefinitionReferenceId": "defenderForCspm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72f8cee7-2937-403d-84a1-a4e3e57f3c21", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('enableAscForCspm')]" @@ -378,6 +404,7 @@ { "policyDefinitionReferenceId": "securityEmailContact", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts", + "definitionVersion": "1.*.*", "parameters": { "emailSecurityContact": { "value": "[[parameters('emailSecurityContact')]" @@ -391,6 +418,7 @@ { "policyDefinitionReferenceId": "ascExport", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9", + "definitionVersion": "4.*.*", "parameters": { "resourceGroupName": { "value": "[[parameters('ascExportResourceGroupName')]" @@ -411,6 +439,9 @@ "policyDefinitionReferenceId": "migrateToMdeTvm", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/766e621d-ba95-4e43-a6f2-e945db3d7888", "parameters": { + "effect": { + "value": "[[parameters('enableTvmCheck')]" + } }, "groupNames": [] } diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json index fc604744c..3cef615d1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Private-DNS-Zones.json @@ -8,7 +8,7 @@ "displayName": "Configure Azure PaaS services to use private DNS zones", "description": "This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones", "metadata": { - "version": "2.3.0", + "version": "2.4.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -826,6 +826,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-File-Sync", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -839,6 +840,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-Webhook", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationWebhookPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationWebhookPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -855,6 +857,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Automation-DSCHybrid", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAutomationDSCHybridPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAutomationDSCHybridPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -871,6 +874,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-SQL", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -887,6 +891,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-MongoDB", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosMongoPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosMongoPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -903,6 +908,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Cassandra", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosCassandraPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosCassandraPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -919,6 +925,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Gremlin", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosGremlinPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosGremlinPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -935,6 +942,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Cosmos-Table", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCosmosTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCosmosTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -951,6 +959,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -969,6 +978,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DataFactory-Portal", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDataFactoryPortalPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDataFactoryPortalPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -987,6 +997,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-UI-Api", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1003,6 +1014,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Databricks-Browser-AuthN", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDatabricksPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDatabricksPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1019,6 +1031,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-HDInsight", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureHDInsightPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureHDInsightPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1035,6 +1048,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Migrate", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMigratePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMigratePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1048,6 +1062,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1061,6 +1076,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Blob-Sec", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageBlobSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageBlobSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1074,6 +1090,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueuePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueuePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1087,6 +1104,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Queue-Sec", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageQueueSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageQueueSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1100,6 +1118,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-File", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageFilePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageFilePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1113,6 +1132,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1126,6 +1146,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-StaticWeb-Sec", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageStaticWebSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageStaticWebSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1139,6 +1160,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1152,6 +1174,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-DFS-Sec", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageDFSSecPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageDFSSecPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1165,6 +1188,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1181,6 +1205,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-SQL-OnDemand", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseSQLODPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseSQLODPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1197,6 +1222,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Synapse-Dev", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9", + "definitionVersion": "2.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSynapseDevPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSynapseDevPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1213,6 +1239,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Key", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesKeyPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesKeyPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1229,6 +1256,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Live", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesLivePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesLivePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1245,6 +1273,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MediaServices-Stream", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMediaServicesStreamPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMediaServicesStreamPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1261,6 +1290,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Monitor", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId1": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMonitorPrivateDnsZoneId1'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMonitorPrivateDnsZoneId1, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1286,6 +1316,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Web", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureWebPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureWebPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1299,6 +1330,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Batch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBatchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBatchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1312,6 +1344,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-App", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1325,6 +1358,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2", + "definitionVersion": "1.*.*-preview", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAsrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAsrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1338,6 +1372,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoT", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1351,6 +1386,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-KeyVault", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureKeyVaultPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureKeyVaultPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1364,6 +1400,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-SignalR", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSignalRPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSignalRPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1377,6 +1414,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-AppServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAppServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAppServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1390,6 +1428,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridTopics", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridTopicsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridTopicsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1403,6 +1442,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-DiskAccess", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureDiskAccessPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureDiskAccessPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1416,6 +1456,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveServices", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveServicesPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveServicesPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1429,6 +1470,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTHubs", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotHubsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotHubsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1442,6 +1484,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventGridDomains", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventGridDomainsPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventGridDomainsPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1455,6 +1498,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-RedisCache", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureRedisCachePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureRedisCachePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1468,6 +1512,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ACR", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureAcrPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureAcrPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1481,6 +1526,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-EventHubNamespace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureEventHubNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureEventHubNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1494,6 +1540,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-MachineLearningWorkspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureMachineLearningWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureMachineLearningWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1510,6 +1557,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ServiceBusNamespace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureServiceBusNamespacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureServiceBusNamespacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1523,6 +1571,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-CognitiveSearch", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureCognitiveSearchPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureCognitiveSearchPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1536,6 +1585,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-BotService", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6a4e6f44-f2af-4082-9702-033c9e88b9f8", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureBotServicePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureBotServicePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1548,6 +1598,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-ManagedGrafanaWorkspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4c8537f8-cd1b-49ec-b704-18e82a42fd58", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureManagedGrafanaWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureManagedGrafanaWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1560,6 +1611,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopHostpool", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9427df23-0f42-4e1e-bf99-a6133d841c4a", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopHostpoolPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopHostpoolPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1575,6 +1627,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-VirtualDesktopWorkspace", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34804460-d88b-4922-a7ca-537165e060ed", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureVirtualDesktopWorkspacePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureVirtualDesktopWorkspacePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1590,6 +1643,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTDeviceupdate", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a222b93a-e6c2-4c01-817f-21e092455b2a", + "definitionVersion": "1.*.*", "parameters": { "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotDeviceupdatePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotDeviceupdatePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1602,6 +1656,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Arc", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55c4db33-97b0-437b-8469-c4f4498f5df9", + "definitionVersion": "1.*.*", "parameters":{ "privateDnsZoneIDForGuestConfiguration": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureArcGuestconfigurationPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureArcGuestconfigurationPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1620,6 +1675,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-IoTCentral", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d627d7c6-ded5-481a-8f2e-7e16b1e6faf6", + "definitionVersion": "1.*.*", "parameters":{ "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureIotCentralPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureIotCentralPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1632,6 +1688,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/028bbd88-e9b5-461f-9424-a1b63a7bee1a", + "definitionVersion": "1.*.*", "parameters":{ "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTablePrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTablePrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1644,6 +1701,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Storage-Table-Secondary", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c1d634a5-f73d-4cdd-889f-2cc7006eb47f", + "definitionVersion": "1.*.*", "parameters":{ "privateDnsZoneId": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureStorageTableSecondaryPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureStorageTableSecondaryPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" @@ -1656,6 +1714,7 @@ { "policyDefinitionReferenceId": "DINE-Private-DNS-Azure-Site-Recovery-Backup", "policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/af783da1-4ad1-42be-800d-d19c70038820", + "definitionVersion": "1.*.*-preview", "parameters":{ "privateDnsZone-Backup": { "value": "[[if(equals(parameters('dnsZoneSubscriptionId'), ''), parameters('azureSiteRecoveryBackupPrivateDnsZoneId'), format('/subscriptions/{0}/resourceGroups/{1}/providers/{2}/{3}', parameters('dnsZoneSubscriptionId'), toLower(parameters('dnsZoneResourceGroupName')), parameters('dnsZoneResourceType'), replace(replace(parameters('dnsZoneNames').azureSiteRecoveryBackupPrivateDnsZoneId, '{regionName}', parameters('dnsZoneRegion')), '{regionCode}', parameters('dnzZoneRegionShortNames')[parameters('dnsZoneRegion')])))]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json index 1d25ba58c..4b27561c5 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Sql-Security_20240529.json @@ -8,7 +8,7 @@ "displayName": "Deploy SQL Database built-in SQL security configuration", "description": "Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Deploy-Sql-Security", @@ -86,6 +86,7 @@ { "policyDefinitionReferenceId": "SqlDbTdeDeploySqlSecurity", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('SqlDbTdeDeploySqlSecurityEffect')]" @@ -96,6 +97,7 @@ { "policyDefinitionReferenceId": "SqlDbSecurityAlertPoliciesDeploySqlSecurity", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]" @@ -106,6 +108,7 @@ { "policyDefinitionReferenceId": "SqlDbAuditingSettingsDeploySqlSecurity", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]" @@ -116,6 +119,7 @@ { "policyDefinitionReferenceId": "SqlDbVulnerabilityAssessmentsDeploySqlSecurity", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments_20230706", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json index 5b87ebf75..8d3406614 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ACSB.json @@ -8,7 +8,7 @@ "displayName": "Enforce Azure Compute Security Benchmark compliance auditing", "description": "Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Guest Configuration", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -45,24 +45,28 @@ { "policyDefinitionReferenceId": "GcIdentity", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e", + "definitionVersion": "4.*.*", "parameters": {}, "groupNames": [] }, { "policyDefinitionReferenceId": "GcLinux", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da", + "definitionVersion": "3.*.*", "parameters": {}, "groupNames": [] }, { "policyDefinitionReferenceId": "GcWindows", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6", + "definitionVersion": "1.*.*", "parameters": {}, "groupNames": [] }, { "policyDefinitionReferenceId": "WinAcsb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -76,6 +80,7 @@ { "policyDefinitionReferenceId": "LinAcsb", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('effect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json index a2eaa786d..536bda1e2 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Decomm.json @@ -8,7 +8,7 @@ "displayName": "Enforce policies in the Decommissioned Landing Zone", "description": "Enforce policies in the Decommissioned Landing Zone.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Decommissioned", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -32,6 +32,7 @@ { "policyDefinitionReferenceId": "DecomDenyResources", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c", + "definitionVersion": "1.*.*", "parameters": { "listOfResourceTypesAllowed": { "value": "[[parameters('listOfResourceTypesAllowed')]" @@ -42,6 +43,7 @@ { "policyDefinitionReferenceId": "DecomShutdownMachines", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown", + "definitionVersion": "1.*.*", "parameters": {}, "groupNames": [] } diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json index 93b5098aa..56df9b97a 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-ALZ-Sandbox.json @@ -8,7 +8,7 @@ "displayName": "Enforce policies in the Sandbox Landing Zone", "description": "Enforce policies in the Sandbox Landing Zone.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Sandbox", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -58,6 +58,7 @@ { "policyDefinitionReferenceId": "SandboxNotAllowed", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('effectNotAllowedResources')]" @@ -71,6 +72,7 @@ { "policyDefinitionReferenceId": "SandboxDenyVnetPeering", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('effectDenyVnetPeering')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json index 172ccc746..3c4c40a70 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Backup.json @@ -8,7 +8,7 @@ "displayName": "Enforce enhanced recovery and backup policies", "description": "Enforce enhanced recovery and backup policies on assigned scopes.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Backup", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -60,6 +60,7 @@ { "policyDefinitionReferenceId": "BackupBVault-Immutability", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2514263b-bc0d-4b06-ac3e-f262c0979018", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -73,6 +74,7 @@ { "policyDefinitionReferenceId": "BackupRVault-Immutability", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6f6f560-14b7-49a4-9fc8-d2c3a9807868", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -86,6 +88,7 @@ { "policyDefinitionReferenceId": "BackupBVault-SoftDelete", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9798d31d-6028-4dee-8643-46102185c016", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -99,6 +102,7 @@ { "policyDefinitionReferenceId": "BackupRVault-SoftDelete", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/31b8092a-36b8-434b-9af7-5ec844364148", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -112,6 +116,7 @@ { "policyDefinitionReferenceId": "BackupBVault-MUA", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c58e083e-7982-4e24-afdc-be14d312389e", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" @@ -122,6 +127,7 @@ { "policyDefinitionReferenceId": "BackupRVault-MUA", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c7031eab-0fc0-4cd9-acd0-4497bd66d91a", + "definitionVersion": "1.*.*-preview", "parameters": { "effect": { "value": "[[parameters('effect')]" diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json index b25cb4507..e9a9a8af6 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit_20240509.json @@ -8,7 +8,7 @@ "displayName": "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit", "description": "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. ", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "replacesPolicy": "Enforce-EncryptTransit", @@ -519,6 +519,7 @@ { "policyDefinitionReferenceId": "AppServiceHttpEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AppServiceHttpEffect')]" @@ -529,6 +530,7 @@ { "policyDefinitionReferenceId": "AppServiceminTlsVersion", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AppServiceTlsVersionEffect')]" @@ -542,6 +544,7 @@ { "policyDefinitionReferenceId": "FunctionLatestTlsEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('FunctionLatestTlsEffect')]" @@ -552,6 +555,7 @@ { "policyDefinitionReferenceId": "WebAppServiceLatestTlsEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('WebAppServiceLatestTlsEffect')]" @@ -562,6 +566,7 @@ { "policyDefinitionReferenceId": "APIAppServiceHttpsEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('APIAppServiceHttpsEffect')]" @@ -572,6 +577,7 @@ { "policyDefinitionReferenceId": "FunctionServiceHttpsEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('FunctionServiceHttpsEffect')]" @@ -582,6 +588,7 @@ { "policyDefinitionReferenceId": "WebAppServiceHttpsEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('WebAppServiceHttpsEffect')]" @@ -592,6 +599,7 @@ { "policyDefinitionReferenceId": "AKSIngressHttpsOnlyEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d", + "definitionVersion": "8.*.*", "parameters": { "effect": { "value": "[[parameters('AKSIngressHttpsOnlyEffect')]" @@ -602,6 +610,7 @@ { "policyDefinitionReferenceId": "MySQLEnableSSLDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLDeployEffect')]" @@ -615,6 +624,7 @@ { "policyDefinitionReferenceId": "MySQLEnableSSLEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('MySQLEnableSSLEffect')]" @@ -628,6 +638,7 @@ { "policyDefinitionReferenceId": "PostgreSQLEnableSSLDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLDeployEffect')]" @@ -641,6 +652,7 @@ { "policyDefinitionReferenceId": "PostgreSQLEnableSSLEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('PostgreSQLEnableSSLEffect')]" @@ -654,6 +666,7 @@ { "policyDefinitionReferenceId": "RedisTLSDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -667,6 +680,7 @@ { "policyDefinitionReferenceId": "RedisdisableNonSslPort", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('RedisTLSDeployEffect')]" @@ -677,6 +691,7 @@ { "policyDefinitionReferenceId": "RedisDenyhttps", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('RedisTLSEffect')]" @@ -690,6 +705,7 @@ { "policyDefinitionReferenceId": "SQLManagedInstanceTLSDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSDeployEffect')]" @@ -703,6 +719,7 @@ { "policyDefinitionReferenceId": "SQLManagedInstanceTLSEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SQLManagedInstanceTLSEffect')]" @@ -716,6 +733,7 @@ { "policyDefinitionReferenceId": "SQLServerTLSDeployEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SQLServerTLSDeployEffect')]" @@ -729,6 +747,7 @@ { "policyDefinitionReferenceId": "SQLServerTLSEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SQLServerTLSEffect')]" @@ -742,6 +761,7 @@ { "policyDefinitionReferenceId": "StorageDeployHttpsEnabledEffect", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('StorageDeployHttpsEnabledEffect')]" @@ -755,6 +775,7 @@ { "policyDefinitionReferenceId": "ContainerAppsHttpsOnlyEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ContainerAppsHttpsOnlyEffect')]" @@ -765,6 +786,7 @@ { "policyDefinitionReferenceId": "Dine-FunctionApp-Tls", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f01f1c7-539c-49b5-9ef4-d4ffa37d22e0", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -775,6 +797,7 @@ { "policyDefinitionReferenceId": "Deploy-LogicApp-TLS", "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-LogicApp-TLS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -785,6 +808,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-LogicApps-Without-Https", "policyDefinitionReferenceId": "Deny-LogicApp-Without-Https", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -795,6 +819,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fa3a6357-c6d6-4120-8429-855577ec0063", "policyDefinitionReferenceId": "Dine-Function-Apps-Slots-Tls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -805,6 +830,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae44c1d1-0df2-4ca9-98fa-a3d3ae5b409d", "policyDefinitionReferenceId": "Dine-AppService-Apps-Tls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -815,6 +841,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a4af4a39-4135-47fb-b175-47fbdf85311d", "policyDefinitionReferenceId": "Deny-AppService-Apps-Https", + "definitionVersion": "4.*.*", "groupNames": [], "parameters": { "effect": { @@ -825,6 +852,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6545c6b-dd9d-4265-91e6-0b451e2f1c50", "policyDefinitionReferenceId": "Deny-AppService-Tls", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -835,6 +863,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/014664e7-e348-41a3-aeb9-566e4ff6a9df", "policyDefinitionReferenceId": "DINE-AppService-AppSlotTls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -845,6 +874,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e5dbe3f-2702-4ffc-8b1e-0cae008a5c71", "policyDefinitionReferenceId": "Deny-FuncAppSlots-Https", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -855,6 +885,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d555dd1-86f2-4f1c-8ed7-5abae7c6cbab", "policyDefinitionReferenceId": "Deny-FunctionApp-Https", + "definitionVersion": "5.*.*", "groupNames": [], "parameters": { "effect": { @@ -865,6 +896,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae1b9a8c-dfce-4605-bd91-69213b4a26fc", "policyDefinitionReferenceId": "Deny-AppService-Slots-Https", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -875,6 +907,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb", "policyDefinitionReferenceId": "Deny-ContainerApps-Https", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -885,6 +918,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-minTLS", "policyDefinitionReferenceId": "Deny-EH-minTLS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -895,6 +929,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8793640-60f7-487c-b5c3-1d37215905c4", "policyDefinitionReferenceId": "Deny-Sql-Managed-Tls-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -905,6 +940,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/32e6bbec-16b6-44c2-be37-c5b672d103cf", "policyDefinitionReferenceId": "Deny-Sql-Db-Tls", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -915,6 +951,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe83a0eb-a853-422d-aac2-1bffd182c5d0", "policyDefinitionReferenceId": "Deny-Storage-Tls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -925,6 +962,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cb3738a6-82a2-4a18-b87b-15217b9deff4", "policyDefinitionReferenceId": "Deny-Synapse-Tls-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json index 537b995b2..03e5c702c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Encryption-CMK.json @@ -8,7 +8,7 @@ "displayName": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "description": "Deny or Audit resources without Encryption with a customer-managed key (CMK)", "metadata": { - "version": "3.1.0", + "version": "3.2.0", "category": "Encryption", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -347,6 +347,7 @@ { "policyDefinitionReferenceId": "ACRCmkDeny", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('ACRCmkEffect')]" @@ -357,6 +358,7 @@ { "policyDefinitionReferenceId": "AksCmkDeny", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AksCmkEffect')]" @@ -367,6 +369,7 @@ { "policyDefinitionReferenceId": "WorkspaceCMK", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('WorkspaceCMKEffect')]" @@ -377,6 +380,7 @@ { "policyDefinitionReferenceId": "CognitiveServicesCMK", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('CognitiveServicesCMKEffect')]" @@ -387,6 +391,7 @@ { "policyDefinitionReferenceId": "CosmosCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('CosmosCMKEffect')]" @@ -397,6 +402,7 @@ { "policyDefinitionReferenceId": "DataBoxCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('DataBoxCMKEffect')]" @@ -407,6 +413,7 @@ { "policyDefinitionReferenceId": "StreamAnalyticsCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('StreamAnalyticsCMKEffect')]" @@ -417,6 +424,7 @@ { "policyDefinitionReferenceId": "SynapseWorkspaceCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('SynapseWorkspaceCMKEffect')]" @@ -427,6 +435,7 @@ { "policyDefinitionReferenceId": "StorageCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('StorageCMKEffect')]" @@ -437,6 +446,7 @@ { "policyDefinitionReferenceId": "MySQLCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('MySQLCMKEffect')]" @@ -447,6 +457,7 @@ { "policyDefinitionReferenceId": "PostgreSQLCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('PostgreSQLCMKEffect')]" @@ -457,6 +468,7 @@ { "policyDefinitionReferenceId": "SqlServerTDECMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('SqlServerTDECMKEffect')]" @@ -467,6 +479,7 @@ { "policyDefinitionReferenceId": "HealthcareAPIsCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('HealthcareAPIsCMKEffect')]" @@ -477,6 +490,7 @@ { "policyDefinitionReferenceId": "AzureBatchCMKEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a", + "definitionVersion": "1.*.*", "parameters": { "effect": { "value": "[[parameters('AzureBatchCMKEffect')]" @@ -487,6 +501,7 @@ { "policyDefinitionReferenceId": "EncryptedVMDisksEffect", "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d", + "definitionVersion": "2.*.*", "parameters": { "effect": { "value": "[[parameters('EncryptedVMDisksEffect')]" @@ -497,6 +512,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56a5ee18-2ae6-4810-86f7-18e39ce5629b", "policyDefinitionReferenceId": "Deny-Aa-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -507,6 +523,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2e94d99a-8a36-4563-bc77-810d8893b671", "policyDefinitionReferenceId": "Deny-Backup-Cmk", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -517,6 +534,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/76a56461-9dc0-40f0-82f5-2453283afa2f", "policyDefinitionReferenceId": "Deny-CognitiveSearch-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -527,6 +545,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/702dd420-7fcc-42c5-afe8-4026edd20fe0", "policyDefinitionReferenceId": "Deny-OsAndDataDisk-Cmk", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -537,6 +556,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0aa61e00-0a01-4a3c-9945-e93cffedf0e6", "policyDefinitionReferenceId": "Deny-ContainerInstance-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -547,6 +567,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/81e74cea-30fd-40d5-802f-d72103c2aaaa", "policyDefinitionReferenceId": "Deny-ADX-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -557,6 +578,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4ec52d6d-beb7-40c4-9a9e-fe753254690e", "policyDefinitionReferenceId": "Deny-Adf-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -567,6 +589,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1ad735a-e96f-45d2-a7b2-9a4932cab7ec", "policyDefinitionReferenceId": "Deny-EH-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -577,6 +600,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-EH-Premium-CMK", "policyDefinitionReferenceId": "Deny-EH-Premium-CMK", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -587,6 +611,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/295fc8b1-dc9f-4f53-9c61-3f313ceab40a", "policyDefinitionReferenceId": "Deny-Sb-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -597,6 +622,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac01ad65-10e5-46df-bdd9-6b0cad13e1d2", "policyDefinitionReferenceId": "Deny-Sql-Managed-Cmk", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -607,6 +633,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7c322315-e26d-4174-a99e-f49d351b4688", "policyDefinitionReferenceId": "Deny-Storage-Table-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -617,6 +644,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5ec538c-daa0-4006-8596-35468b9148e8", "policyDefinitionReferenceId": "Deny-Storage-Encryption-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -627,6 +655,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f0e5abd0-2554-4736-b7c0-4ffef23475ef", "policyDefinitionReferenceId": "Deny-Storage-Queue-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -637,6 +666,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/51522a96-0869-4791-82f3-981000c2c67f", "policyDefinitionReferenceId": "Deny-BotService-Cmk", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json index a995c1ad8..e868638e7 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-APIM.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for API Management", "description": "This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "API Management", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -121,6 +121,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f1cc7827-022c-473e-836e-5a51cae0b249", "policyDefinitionReferenceId": "Deny-Apim-without-Kv", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -131,6 +132,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ef619a2c-cc4d-4d03-b2ba-8c94a834d85b", "policyDefinitionReferenceId": "Deny-Apim-without-Vnet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -141,6 +143,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-APIM-TLS", "policyDefinitionReferenceId": "Deny-APIM-TLS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -151,6 +154,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ee7495e7-3ba7-40b6-bfee-c29e22cc75d4", "policyDefinitionReferenceId": "Deny-Apim-Protocols", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -161,6 +165,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c15dcc82-b93c-4dcb-9332-fbf121685b54", "policyDefinitionReferenceId": "Deny-Apim-Authn", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -171,6 +176,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b741306c-968e-4b67-b916-5675e5c709f4", "policyDefinitionReferenceId": "Deny-Apim-Direct-Endpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -181,6 +187,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92bb331d-ac71-416a-8c91-02f2cb734ce4", "policyDefinitionReferenceId": "Deny-Apim-Cert-Validation", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -191,6 +198,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7ca8c8ac-3a6e-493d-99ba-c5fa35347ff2", "policyDefinitionReferenceId": "Dine-Apim-Public-NetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -201,6 +209,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/73ef9241-5d81-4cd4-b483-8443d1730fe5", "policyDefinitionReferenceId": "Deny-Apim-Sku-Vnet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -211,6 +220,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/549814b6-3212-4203-bdc8-1548d342fb67", "policyDefinitionReferenceId": "Deny-Apim-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -221,6 +231,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3aa03346-d8c5-4994-a5bc-7652c2a2aef1", "policyDefinitionReferenceId": "Deny-Api-subscription-scope", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json index d3e06a85f..ac475138f 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-AppServices.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for App Service", "description": "This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "App Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -174,6 +174,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppService-without-BYOC", "policyDefinitionReferenceId": "Deny-AppService-Byoc", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -184,6 +185,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a5e3fe8f-f6cd-4f1d-bbf6-c749754a724b", "policyDefinitionReferenceId": "Dine-AppService-Apps-Remote-Debugging", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -194,6 +196,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cca5adfe-626b-4cc6-8522-f5b6ed2391bd", "policyDefinitionReferenceId": "Deny-AppService-Slots-Remote-Debugging", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -204,6 +207,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/eb4d34ab-0929-491c-bbf3-61e13da19f9a", "policyDefinitionReferenceId": "Deny-AppService-Latest-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -214,6 +218,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/801543d1-1953-4a90-b8b0-8cf6d41473a5", "policyDefinitionReferenceId": "Deny-AppService-Vnet-Routing", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -224,6 +229,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f5c0bfb3-acea-47b1-b477-b0edcdf6edc1", "policyDefinitionReferenceId": "Deny-AppService-Rfc", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -234,6 +240,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a691eacb-474d-47e4-b287-b4813ca44222", "policyDefinitionReferenceId": "Deny-AppServiceApps-Rfc", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -244,6 +251,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/70adbb40-e092-42d5-a6f8-71c540a5efdb", "policyDefinitionReferenceId": "DINE-FuncApp-Debugging", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -254,6 +262,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5e97b776-f380-4722-a9a3-e7f0be029e79", "policyDefinitionReferenceId": "DINE-AppService-ScmAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -264,6 +273,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5747353b-1ca9-42c1-a4dd-b874b894f3d4", "policyDefinitionReferenceId": "Deny-AppServ-Routing", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -274,6 +284,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/572e342c-c920-4ef5-be2e-1ed3c6a51dc5", "policyDefinitionReferenceId": "Deny-AppServ-FtpAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -284,6 +295,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/546fe8d2-368d-4029-a418-6af48a7f61e5", "policyDefinitionReferenceId": "Deny-AppServ-SkuPl", + "definitionVersion": "4.*.*", "groupNames": [], "parameters": { "effect": { @@ -294,6 +306,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2c034a29-2a5f-4857-b120-f800fe5549ae", "policyDefinitionReferenceId": "DINE-AppService-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -304,6 +317,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/25a5046c-c423-4805-9235-e844ae9ef49b", "policyDefinitionReferenceId": "DINE-AppService-Debugging", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -314,6 +328,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08cf2974-d178-48a0-b26d-f6b8e555748b", "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Https", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -324,6 +339,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0f98368e-36bc-4716-8ac2-8f8067203b63", "policyDefinitionReferenceId": "Modify-AppService-Https", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -334,6 +350,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/242222f3-4985-4e99-b5ef-086d6a6cb01c", "policyDefinitionReferenceId": "Modify-Function-Apps-Slots-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -344,6 +361,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2374605e-3e0b-492b-9046-229af202562c", "policyDefinitionReferenceId": "Modify-AppService-Apps-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -354,6 +372,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c6c3e00e-d414-4ca4-914f-406699bb8eee", "policyDefinitionReferenceId": "Modify-AppService-App-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json index 3bcb0f434..86c0db18c 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Automation.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Automation Account", "description": "This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Automation", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -74,6 +74,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6d02d2f7-e38b-4bdc-96f3-adc0a8726abc", "policyDefinitionReferenceId": "Deny-Windows-Vm-HotPatch", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -84,6 +85,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dea83a72-443c-4292-83d5-54a2f98749c0", "policyDefinitionReferenceId": "Deny-Aa-Managed-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -94,6 +96,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/48c5f1cb-14ad-4797-8e3b-f78ab3f8d700", "policyDefinitionReferenceId": "Deny-Aa-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -104,6 +107,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3657f5a0-770e-44a3-b44e-9431ba1e9735", "policyDefinitionReferenceId": "Deny-Aa-Variables-Encrypt", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -114,6 +118,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/30d1d58e-8f96-47a5-8564-499a3f3cca81", "policyDefinitionReferenceId": "Modify-Aa-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -124,6 +129,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/23b36a7c-9d26-4288-a8fd-c1d2fa284d8c", "policyDefinitionReferenceId": "Modify-Aa-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json index 785daeecf..91d7aa44f 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-BotService.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Bot Service", "description": "This policy initiative is a group of policies that ensures Bot Service is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Bot Service", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -64,6 +64,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6164527b-e1ee-4882-8673-572f425f5e0a", "policyDefinitionReferenceId": "Deny-BotService-Valid-Uri", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -74,6 +75,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/52152f42-0dda-40d9-976e-abb1acdd611e", "policyDefinitionReferenceId": "Deny-BotService-Isolated-Mode", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -84,6 +86,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ffea632e-4e3a-4424-bf78-10e179bb2e1a", "policyDefinitionReferenceId": "Deny-BotService-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -94,6 +97,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ad5621d6-a877-4407-aa93-a950b428315e", "policyDefinitionReferenceId": "Audit-BotService-Private-Link", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json index 805a08c46..872f72a09 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CognitiveServices.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cognitive Services", "description": "This policy initiative is a group of policies that ensures Cognitive Services is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -99,6 +99,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a049bf77-880b-470f-ba6d-9f21c530cf83", "policyDefinitionReferenceId": "Deny-CognitiveSearch-SKU", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -109,6 +110,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6300012e-e9a4-4649-b41f-a85f5c43be91", "policyDefinitionReferenceId": "Deny-CongitiveSearch-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -119,6 +121,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4eb216f2-9dba-4979-86e6-5d7e63ce3b75", "policyDefinitionReferenceId": "Modify-CogntiveSearch-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -129,6 +132,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9cee519f-d9c1-4fd9-9f79-24ec3449ed30", "policyDefinitionReferenceId": "Modify-CogntiveSearch-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -139,6 +143,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47ba1dd7-28d9-4b07-a8d5-9813bed64e0c", "policyDefinitionReferenceId": "Modify-Cognitive-Services-Public-Network-Access", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -149,6 +154,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -159,6 +165,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Customer-Storage", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -169,6 +176,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -179,6 +187,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b4330a05-a843-4bc8-bf9a-cacce50c67f4", "policyDefinitionReferenceId": "Aine-Cognitive-Services-Resource-Logs", + "definitionVersion": "5.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json index 2d447658f..5a34c0dfe 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Compute.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Compute", "description": "This policy initiative is a group of policies that ensures Compute is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Compute", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -41,6 +41,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fc4d8e41-e223-45ea-9bf5-eada37891d87", "policyDefinitionReferenceId": "Deny-VmAndVmss-Encryption-Host", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -51,6 +52,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ca91455f-eace-4f96-be59-e6e2c35b4816", "policyDefinitionReferenceId": "Deny-Disk-Double-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json index 55ab33e46..d02647880 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerApps.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Apps", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Apps", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -41,6 +41,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b346db6-85af-419b-8557-92cee2c0f9bb", "policyDefinitionReferenceId": "Deny-ContainerApp-Vnet-Injection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -51,6 +52,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b874ab2d-72dd-47f1-8cb5-4a306478a4e7", "policyDefinitionReferenceId": "Deny-ContainerApps-Managed-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json index 22357be82..4b77267b6 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerInstance.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Instance", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Instances", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -32,6 +32,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8af8f826-edcb-4178-b35f-851ea6fea615", "policyDefinitionReferenceId": "Deny-ContainerInstance-Vnet", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json index a21e7bdc5..be1bc75d9 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ContainerRegistry.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Container Registry", "description": "This policy initiative is a group of policies that ensures Container Apps is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Container Registry", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -126,6 +126,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/79fdfe03-ffcb-4e55-b4d0-b925b8241759", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -136,6 +137,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a9b426fe-8856-4945-8600-18c5dd1cca2a", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Repo-Token", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -146,6 +148,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/42781ec6-6127-4c30-bdfa-fb423a0047d3", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Arm-Audience", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -156,6 +159,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/785596ed-054f-41bc-aaec-7f3d0ba05725", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Arm-Audience", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -166,6 +170,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bd560fc0-3c69-498a-ae9f-aa8eb7de0e13", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Sku-PrivateLink", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -176,6 +181,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cced2946-b08a-44fe-9fd9-e4ed8a779897", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Anonymous-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -186,6 +192,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f2dea28-e834-476c-99c5-3507b4728395", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Anonymous-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -196,6 +203,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/524b0254-c285-4903-bee6-bb8126cde579", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Exports", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -206,6 +214,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc921057-6b28-4fbe-9b83-f7bec05db6c2", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -216,6 +225,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ff05e24e-195c-447e-b322-5e90c9f9f366", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Repo-Token", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -226,6 +236,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d0793b48-0edc-4296-a390-4c75d1bdfd71", "policyDefinitionReferenceId": "Deny-ContainerRegistry-Unrestricted-Network-Access", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -236,6 +247,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a3701552-92ea-433e-9d17-33b7f1208fc9", "policyDefinitionReferenceId": "Modify-ContainerRegistry-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json index 78b5883aa..b5a8990fc 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-CosmosDb.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Cosmos DB", "description": "This policy initiative is a group of policies that ensures Cosmos DB is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Cosmos DB", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -65,6 +65,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dc2d41d1-4ab1-4666-a3e1-3d51c43e0049", "policyDefinitionReferenceId": "Modify-CosmosDb-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -75,6 +76,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b5f04e03-92a3-4b09-9410-2cc5e5047656", "policyDefinitionReferenceId": "Dine-CosmosDb-Atp", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -85,6 +87,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb", "policyDefinitionReferenceId": "Deny-CosmosDb-Fw-Rules", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -95,6 +98,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5450f5bd-9c72-4390-a9c4-a7aba4edfdd2", "policyDefinitionReferenceId": "Deny-CosmosDb-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -105,12 +109,14 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5", "policyDefinitionReferenceId": "Append-CosmosDb-Metadata", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/da69ba51-aaf1-41e5-8651-607cd0b37088", "policyDefinitionReferenceId": "Modify-CosmosDb-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json index 63dc68ab6..2e058c5dc 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataExplorer.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Data Explorer", "description": "This policy initiative is a group of policies that ensures Data Explorer is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Azure Data Explorer", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -58,6 +58,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1fec9658-933f-4b3e-bc95-913ed22d012b", "policyDefinitionReferenceId": "Deny-ADX-Sku-without-PL-Support", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -68,6 +69,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ec068d99-e9c7-401f-8cef-5bdde4e6ccf1", "policyDefinitionReferenceId": "Deny-ADX-Double-Encryption", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -78,6 +80,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f4b53539-8df9-40e4-86c6-6b607703bd4e", "policyDefinitionReferenceId": "Deny-ADX-Encryption", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -88,6 +91,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7b32f193-cb28-4e15-9a98-b9556db0bafa", "policyDefinitionReferenceId": "Modify-ADX-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json index 1e4ccb20d..139b42cbe 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-DataFactory.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Data Factory", "description": "This policy initiative is a group of policies that ensures Data Factory is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Data Factory", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -67,6 +67,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f78ccdb4-7bf4-4106-8647-270491d2978a", "policyDefinitionReferenceId": "Deny-Adf-Managed-Identity", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -77,6 +78,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77d40665-3120-4348-b539-3192ec808307", "policyDefinitionReferenceId": "Deny-Adf-Git", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -87,6 +89,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/127ef6d7-242f-43b3-9eef-947faf1725d0", "policyDefinitionReferenceId": "Deny-Adf-Linked-Service-Key-Vault", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -97,6 +100,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0088bc63-6dee-4a9c-9d29-91cfdc848952", "policyDefinitionReferenceId": "Deny-Adf-Sql-Integration", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -107,6 +111,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/08b1442b-7789-4130-8506-4f99a97226a7", "policyDefinitionReferenceId": "Modify-Adf-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json index e664afc6e..874f52318 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventGrid.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Event Grid", "description": "This policy initiative is a group of policies that ensures Event Grid is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Grid", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -90,6 +90,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2dd0e8b9-4289-4bb0-b813-1883298e9924", "policyDefinitionReferenceId": "Modify-EventGrid-Partner-Namespace-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -100,6 +101,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8ac2748f-3bf1-4c02-a3b6-92ae68cf75b1", "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -110,6 +112,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ae9fb87f-8a17-4428-94a4-8135d431055c", "policyDefinitionReferenceId": "Deny-EventGrid-Topic-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -120,6 +123,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c8144d9-746a-4501-b08c-093c8d29ad04", "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -130,6 +134,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8632b003-3545-4b29-85e6-b2b96773df1e", "policyDefinitionReferenceId": "Deny-EventGrid-Partner-Namespace-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -140,6 +145,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8bfadddb-ee1c-4639-8911-a38cb8e0b3bd", "policyDefinitionReferenceId": "Deny-EventGrid-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -150,6 +156,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/898e9824-104c-4965-8e0e-5197588fa5d4", "policyDefinitionReferenceId": "Modify-EventGrid-Domain-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -160,6 +167,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/36ea4b4b-0f7f-4a54-89fa-ab18f555a172", "policyDefinitionReferenceId": "Modify-EventGrid-Topic-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json index feaf0a1ba..63e2d2d62 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-EventHub.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Event Hub", "description": "This policy initiative is a group of policies that ensures Event Hub is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Event Hub", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -58,6 +58,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/836cd60e-87f3-4e6a-a27c-29d687f01a4c", "policyDefinitionReferenceId": "Deny-EH-Double-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -68,6 +69,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/57f35901-8389-40bb-ac49-3ba4f86d889d", "policyDefinitionReferenceId": "Modify-EH-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -78,6 +80,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5d4e3c65-4873-47be-94f3-6f8b953a3598", "policyDefinitionReferenceId": "Deny-EH-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -88,6 +91,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b278e460-7cfc-4451-8294-cccc40a940d7", "policyDefinitionReferenceId": "Deny-EH-Auth-Rules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json index 3c68197a8..80f674ccf 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-KeyVault-Sup.json @@ -8,7 +8,7 @@ "displayName": "Enforce additional recommended guardrails for Key Vault", "description": "This policy initiative is a group of policies that ensures Key Vault is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Key Vault", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -39,6 +39,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/84d327c3-164a-4685-b453-900478614456", "policyDefinitionReferenceId": "Modify-KV-PublicNetworkAccess", + "definitionVersion": "2.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -49,6 +50,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01dc", "policyDefinitionReferenceId": "Modify-KV-Fw", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json index 08a03e892..c1617dbb0 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Kubernetes", "description": "This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Kubernetes", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -181,6 +181,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5485eac0-7e8f-4964-998b-a44f4f0c1e75", "policyDefinitionReferenceId": "Deny-Aks-Windows-Container-Administrator", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -191,6 +192,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8", "policyDefinitionReferenceId": "Deny-Aks-Shared-Host-Process-Namespace", + "definitionVersion": "5.*.*", "groupNames": [], "parameters": { "effect": { @@ -201,6 +203,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/65280eef-c8b4-425e-9aec-af55e55bf581", "policyDefinitionReferenceId": "Deny-Aks-Naked-Pods", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -211,6 +214,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/9f061a12-e40d-4183-a00e-171812443373", "policyDefinitionReferenceId": "Deny-Aks-Default-Namespace", + "definitionVersion": "4.*.*", "groupNames": [], "parameters": { "effect": { @@ -221,6 +225,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3fc4dc25-5baf-40d8-9b05-7fe74c1bc64e", "policyDefinitionReferenceId": "Deny-Aks-Internal-Lb", + "definitionVersion": "8.*.*", "groupNames": [], "parameters": { "effect": { @@ -231,6 +236,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/41425d9f-d1a5-499a-9932-f8ed8453932c", "policyDefinitionReferenceId": "Deny-Aks-Temp-Disk-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -241,6 +247,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c26596ff-4d70-4e6a-9a30-c2506bd2f80c", "policyDefinitionReferenceId": "Deny-Aks-Allowed-Capabilities", + "definitionVersion": "6.*.*", "groupNames": [], "parameters": { "effect": { @@ -251,6 +258,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99", "policyDefinitionReferenceId": "Deny-Aks-Priv-Escalation", + "definitionVersion": "7.*.*", "groupNames": [], "parameters": { "effect": { @@ -261,6 +269,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4", "policyDefinitionReferenceId": "Deny-Aks-Priv-Containers", + "definitionVersion": "9.*.*", "groupNames": [], "parameters": { "effect": { @@ -271,6 +280,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/b1a9997f-2883-4f12-bdff-2280f99b5915", "policyDefinitionReferenceId": "Deny-Aks-ReadinessOrLiveness-Probes", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -281,6 +291,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b708b0a-3380-40e9-8b79-821f9fa224cc", "policyDefinitionReferenceId": "Dine-Aks-Command-Invoke", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -291,6 +302,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7", "policyDefinitionReferenceId": "Dine-Aks-Policy", + "definitionVersion": "4.*.*", "groupNames": [], "parameters": { "effect": { @@ -301,6 +313,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8", "policyDefinitionReferenceId": "Deny-Aks-Private-Cluster", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -311,6 +324,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32", "policyDefinitionReferenceId": "Deny-Aks-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -321,6 +335,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/dbbdc317-9734-4dd8-9074-993b29c69008", "policyDefinitionReferenceId": "Deny-Aks-Kms", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -331,6 +346,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46238e2f-3f6f-4589-9f3f-77bed4116e67", "policyDefinitionReferenceId": "Deny-Aks-Cni", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json index 964a8191a..b0ea706aa 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MachineLearning.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Machine Learning", "description": "This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Machine Learning", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -139,6 +139,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f110a506-2dcb-422e-bcea-d533fc8c35e2", "policyDefinitionReferenceId": "Deny-ML-Outdated-Os", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effects": { @@ -149,6 +150,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e96a9a5f-07ca-471b-9bc5-6a0f33cbd68f", "policyDefinitionReferenceId": "Deny-ML-Local-Auth", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -159,6 +161,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a6f9a2d0-cff7-4855-83ad-4cd750666512", "policyDefinitionReferenceId": "Modify-ML-Local-Auth", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -169,6 +172,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5f0c7d88-c7de-45b8-ac49-db49e72eaa78", "policyDefinitionReferenceId": "Deny-ML-User-Assigned-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -179,6 +183,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a10ee784-7409-4941-b091-663697637c0f", "policyDefinitionReferenceId": "Modify-ML-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -189,6 +194,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/679ddf89-ab8f-48a5-9029-e76054077449", "policyDefinitionReferenceId": "Deny-ML-Idle-Shutdown", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -199,6 +205,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/7804b5c7-01dc-4723-969b-ae300cc07ff1", "policyDefinitionReferenceId": "Audit-ML-Virtual-Network", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -209,6 +216,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/e413671a-dd10-4cc1-a943-45b598596cb7", "policyDefinitionReferenceId": "Deny-ML-Legacy-Mode", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -219,6 +227,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/45e05259-1eb5-4f70-9574-baf73e9d219b", "policyDefinitionReferenceId": "Audit-ML-Private-Link", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -229,6 +238,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/afe0c3be-ba3b-4544-ba52-0c99672a8ad6", "policyDefinitionReferenceId": "Aine-ML-Resource-Logs", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -239,6 +249,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/19539b54-c61e-4196-9a38-67598701be90", "policyDefinitionReferenceId": "Deny-ML-Allowed-Registry-Deploy", + "definitionVersion": "1.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -249,6 +260,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/53c70b02-63dd-11ea-bc55-0242ac130003", "policyDefinitionReferenceId": "Deny-ML-Allowed-Module", + "definitionVersion": "6.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -259,6 +271,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/77eeea86-7e81-4a7d-9067-de844d096752", "policyDefinitionReferenceId": "Deny-ML-Allowed-Python", + "definitionVersion": "5.*.*-preview", "groupNames": [], "parameters": { "effect": { @@ -269,6 +282,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5853517a-63de-11ea-bc55-0242ac130003", "policyDefinitionReferenceId": "Deny-ML-Allowed-Registries", + "definitionVersion": "6.*.*-preview", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json index ce2b30161..9a6d49530 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-MySQL.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for MySQL", "description": "This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "MySQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -40,6 +40,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/80ed5239-4122-41ed-b54a-6f1fa7552816", "policyDefinitionReferenceId": "Dine-MySql-Adv-Threat-Protection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -50,6 +51,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a58212a-c829-4f13-9872-6371df2fd0b4", "policyDefinitionReferenceId": "Deny-MySql-Infra-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json index bec7c6d07..759150d4a 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Network.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Network and Networking services", "description": "This policy initiative is a group of policies that ensures Network and Networking services are compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Network", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -267,12 +267,14 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/35f9c03a-cc27-418e-9c0c-539ff999d010", "policyDefinitionReferenceId": "Deny-Nsg-GW-subnet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/21a6bc25-125e-4d13-b82d-2e19b7208ab7", "policyDefinitionReferenceId": "Deny-VPN-AzureAD", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -283,6 +285,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/055aa869-bc98-4af8-bafc-23f1ab6ffe2c", "policyDefinitionReferenceId": "Deny-Waf-Afd-Enabled", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -293,6 +296,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6484db87-a62d-4327-9f07-80a2cbdf333a", "policyDefinitionReferenceId": "Deny-Waf-IDPS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -303,6 +307,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/610b6183-5f00-4d68-86d2-4ab4cb3a67a5", "policyDefinitionReferenceId": "Deny-FW-AllIDPSS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -313,6 +318,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/f516dc7a-4543-4d40-aad6-98f76a706b50", "policyDefinitionReferenceId": "Deny-FW-EmpIDPSBypass", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -323,6 +329,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/711c24bb-7f18-4578-b192-81a6161e1f17", "policyDefinitionReferenceId": "Deny-FW-TLS-Inspection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -333,6 +340,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a58ac66d-92cb-409c-94b8-8e48d7a96596", "policyDefinitionReferenceId": "Deny-FW-TLS-AllApp", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -343,6 +351,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/12430be1-6cc8-4527-a9a8-e3d38f250096", "policyDefinitionReferenceId": "Deny-Waf-AppGw-mode", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -356,6 +365,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/632d3993-e2c0-44ea-a7db-2eca131f356d", "policyDefinitionReferenceId": "Deny-Waf-Fw-rules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -366,6 +376,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/425bea59-a659-4cbb-8d31-34499bd030b8", "policyDefinitionReferenceId": "Deny-Waf-mode", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -379,6 +390,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d", "policyDefinitionReferenceId": "Modify-vNet-DDoS", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -392,18 +404,21 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", "policyDefinitionReferenceId": "Deny-Ip-Forwarding", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/83a86a26-fd1f-447c-b59d-e51f44264114", "policyDefinitionReferenceId": "Deny-vNic-Pip", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/564feb30-bf6a-4854-b4bb-0d2d2d1e6c66", "policyDefinitionReferenceId": "Deny-AppGw-Without-Waf", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -414,6 +429,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr", "policyDefinitionReferenceId": "Deny-Subnet-Without-Udr", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -424,6 +440,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg", "policyDefinitionReferenceId": "Deny-Subnet-Without-NSG", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -434,6 +451,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Service-Endpoints", "policyDefinitionReferenceId": "Deny-Subnet-with-Service-Endpoints", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -444,6 +462,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MgmtPorts-From-Internet", "policyDefinitionReferenceId": "Deny-Mgmt-From-Internet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -457,6 +476,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGw-Without-Tls", "policyDefinitionReferenceId": "Deny-AppGw-Without-Tls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -467,6 +487,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-UDR", "policyDefinitionReferenceId": "Modify-Udr", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -486,6 +507,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Modify-NSG", "policyDefinitionReferenceId": "Modify-Nsg", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json index 6292ccc45..5e4a1a811 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-OpenAI.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Open AI (Cognitive Service)", "description": "This policy initiative is a group of policies that ensures Open AI (Cognitive Service) is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Cognitive Services", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -117,6 +117,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-RestrictOutboundNetworkAccess", "policyDefinitionReferenceId": "Deny-OpenAi-OutboundNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -127,6 +128,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-CognitiveServices-NetworkAcls", "policyDefinitionReferenceId": "Deny-OpenAi-NetworkAcls", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -137,6 +139,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/fe3fd216-4f83-4fc1-8984-2bbec80a3418", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Managed-Identity", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -147,6 +150,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/71ef260a-8f18-47b7-abcb-62d0673d94dc", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -157,6 +161,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/46aa9b05-0e60-4eae-a88b-1e9d374fa515", "policyDefinitionReferenceId": "Deny-Cognitive-Services-Cust-Storage", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -167,6 +172,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/14de9e63-1b31-492e-a5a3-c3f7fd57f555", "policyDefinitionReferenceId": "Modify-Cognitive-Services-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -177,6 +183,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/037eea7a-bd0a-46c5-9a66-03aea78705d3", "policyDefinitionReferenceId": "Deny-AzureAI-Network-Access", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -187,6 +194,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d6759c02-b87f-42b7-892e-71b3f471d782", "policyDefinitionReferenceId": "Audit-AzureAI-Private-Link", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -197,6 +205,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/d45520cb-31ca-44ba-8da2-fcf914608544", "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -207,6 +216,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/55eff01b-f2bd-4c32-9203-db285f709d30", "policyDefinitionReferenceId": "Dine-AzureAI-Local-Key2", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -217,6 +227,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/1b4d1c4e-934c-4703-944c-27c82c06bebb", "policyDefinitionReferenceId": "Aine-AzureAI-Diag-Settings", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json index 484292f11..8c12837c6 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-PostgreSQL.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for PostgreSQL", "description": "This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "PostgreSQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -31,6 +31,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/db048e65-913c-49f9-bb5f-1084184671d3", "policyDefinitionReferenceId": "Dine-PostgreSql-Adv-Threat-Protection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json index 5fb82b190..eb60f036e 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-SQL.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for SQL and SQL Managed Instance", "description": "This policy initiative is a group of policies that ensures SQL and SQL Managed Instance is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "SQL", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -57,6 +57,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd", "policyDefinitionReferenceId": "Dine-Sql-Managed-Defender", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -67,6 +68,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/abda6d70-9778-44e7-84a8-06713e6db027", "policyDefinitionReferenceId": "Deny-Sql-Aad-Only", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -77,6 +79,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/78215662-041e-49ed-a9dd-5385911b3a1f", "policyDefinitionReferenceId": "Deny-Sql-Managed-Aad-Only", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -87,12 +90,14 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/6134c3db-786f-471e-87bc-8f479dc890f6", "policyDefinitionReferenceId": "Dine-Sql-Adv-Data", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": {} }, { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/28b0b1e5-17ba-4963-a7a4-5a1ab4400a0b", "policyDefinitionReferenceId": "Modify-Sql-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json index 79b30ef80..2e4e849e3 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-ServiceBus.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Service Bus", "description": "This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Service Bus", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -58,6 +58,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a1817ec0-a368-432a-8057-8371e17ac6ee", "policyDefinitionReferenceId": "Deny-Sb-Authz-Rules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -68,6 +69,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ebaf4f25-a4e8-415f-86a8-42d9155bef0b", "policyDefinitionReferenceId": "Deny-Sb-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -78,6 +80,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/cfb11c26-f069-4c14-8e36-56c394dae5af", "policyDefinitionReferenceId": "Deny-Sb-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -88,6 +91,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/910711a6-8aa2-4f15-ae62-1e5b2ed3ef9e", "policyDefinitionReferenceId": "Modify-Sb-LocalAuth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json index c5abdeee2..a50e26bfb 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Storage.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Storage Account", "description": "This policy initiative is a group of policies that ensures Storage is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Storage", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -231,6 +231,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CopyScope", "policyDefinitionReferenceId": "Deny-Storage-CopyScope", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -244,6 +245,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ServicesEncryption", "policyDefinitionReferenceId": "Deny-Storage-ServicesEncryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -254,6 +256,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-LocalUser", "policyDefinitionReferenceId": "Deny-Storage-LocalUser", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -264,6 +267,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-SFTP", "policyDefinitionReferenceId": "Deny-Storage-SFTP", + "groupNames": [], "parameters": { "effect": { @@ -274,6 +278,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsBypass", "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsBypass", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -287,6 +292,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesTenantId", "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesTenantId", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -297,6 +303,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ResourceAccessRulesResourceId", "policyDefinitionReferenceId": "Deny-Storage-ResourceAccessRulesResourceId", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -307,6 +314,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-NetworkAclsVirtualNetworkRules", "policyDefinitionReferenceId": "Deny-Storage-NetworkAclsVirtualNetworkRules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -317,6 +325,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-ContainerDeleteRetentionPolicy", "policyDefinitionReferenceId": "Deny-Storage-ContainerDeleteRetentionPolicy", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -330,6 +339,7 @@ { "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-CorsRules", "policyDefinitionReferenceId": "Deny-Storage-CorsRules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -340,6 +350,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/bfecdea6-31c4-4045-ad42-71b9dc87247d", "policyDefinitionReferenceId": "Deny-Storage-Account-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -350,6 +361,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/92a89a79-6c52-4a7e-a03f-61306fc49312", "policyDefinitionReferenceId": "Deny-Storage-Cross-Tenant", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -360,6 +372,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8c6a50c6-9ffd-4ae7-986f-5fa6111f9a54", "policyDefinitionReferenceId": "Deny-Storage-Shared-Key", + "definitionVersion": "2.*.*", "groupNames": [], "parameters": { "effect": { @@ -370,6 +383,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/4733ea7b-a883-42fe-8cac-97454c2a9e4a", "policyDefinitionReferenceId": "Deny-Storage-Infra-Encryption", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -380,6 +394,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/37e0d2fe-28a5-43d6-a273-67d37d1f5606", "policyDefinitionReferenceId": "Deny-Storage-Classic", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -390,6 +405,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c", "policyDefinitionReferenceId": "Dine-Storage-Threat-Protection", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -400,6 +416,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c", "policyDefinitionReferenceId": "Deny-Storage-Restrict-NetworkRules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -410,6 +427,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a1a9cdf-e04d-429a-8416-3bfb72a1b26f", "policyDefinitionReferenceId": "Deny-Storage-NetworkRules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -420,6 +438,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537", "policyDefinitionReferenceId": "Deny-Storage-Account-Keys-Expire", + "definitionVersion": "3.*.*", "groupNames": [], "parameters": { "effect": { @@ -430,6 +449,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/0e07b2e9-6cd9-4c40-9ccb-52817b95133b", "policyDefinitionReferenceId": "Modify-Storage-FileSync-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -440,6 +460,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/13502221-8df0-4414-9937-de9c5c4e396b", "policyDefinitionReferenceId": "Modify-Blob-Storage-Account-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -450,6 +471,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/a06d0189-92e8-4dba-b0c4-08d7669fce7d", "policyDefinitionReferenceId": "Modify-Storage-Account-PublicEndpoint", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json index a0b73748a..d47fcaa61 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Synapse.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Synapse workspaces", "description": "This policy initiative is a group of policies that ensures Synapse workspaces is compliant per regulated Landing Zones.", "metadata": { - "version": "1.1.0", + "version": "1.2.0", "category": "Synapse", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -105,6 +105,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/951c1558-50a5-4ca3-abb6-a93e3e2367a6", "policyDefinitionReferenceId": "Dine-Synapse-Defender", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -115,6 +116,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/c3624673-d2ff-48e0-b28c-5de1c6767c3c", "policyDefinitionReferenceId": "Modify-Synapse-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -125,6 +127,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/56fd377d-098c-4f02-8406-81eb055902b8", "policyDefinitionReferenceId": "Deny-Synapse-Fw-Rules", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -135,6 +138,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3a003702-13d2-4679-941b-937e58c443f0", "policyDefinitionReferenceId": "Deny-Synapse-Tenant-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -148,6 +152,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/3484ce98-c0c5-4c83-994b-c5ac24785218", "policyDefinitionReferenceId": "Deny-Synapse-Data-Traffic", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -158,6 +163,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2d9dbfa3-927b-4cf0-9d0f-08747f971650", "policyDefinitionReferenceId": "Deny-Synapse-Managed-Vnet", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -168,6 +174,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2158ddbe-fefa-408e-b43f-d4faef8ff3b8", "policyDefinitionReferenceId": "Deny-Synapse-Local-Auth", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -178,6 +185,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/8b5c654c-fb07-471b-aa8f-15fea733f140", "policyDefinitionReferenceId": "Modify-Synapse-Tls-Version", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -188,6 +196,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/5c8cad01-ef30-4891-b230-652dadb4876a", "policyDefinitionReferenceId": "Modify-Synapse-Public-Network-Access", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { diff --git a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json index 33564dda5..2d64b91b1 100644 --- a/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json +++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-VirtualDesktop.json @@ -8,7 +8,7 @@ "displayName": "Enforce recommended guardrails for Virtual Desktop", "description": "This policy initiative is a group of policies that ensures Virtual Desktop is compliant per regulated Landing Zones.", "metadata": { - "version": "1.0.0", + "version": "1.1.0", "category": "Desktop Virtualization", "source": "https://github.com/Azure/Enterprise-Scale/", "alzCloudEnvironments": [ @@ -39,6 +39,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/ce6ebf1d-0b94-4df9-9257-d8cacc238b4f", "policyDefinitionReferenceId": "Modify-Workspace-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": { @@ -49,6 +50,7 @@ { "policyDefinitionId": "/providers/Microsoft.Authorization/policyDefinitions/2a0913ff-51e7-47b8-97bb-ea17127f7c8d", "policyDefinitionReferenceId": "Modify-Hostpool-PublicNetworkAccess", + "definitionVersion": "1.*.*", "groupNames": [], "parameters": { "effect": {