diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md
index e72ad4ba06..70c76a24c0 100644
--- a/docs/wiki/ALZ-Policies.md
+++ b/docs/wiki/ALZ-Policies.md
@@ -224,7 +224,7 @@ This is the parent management group for all the landing zone child management gr
| **Policy Type** | **Count** |
| :--- | :---: |
| `Policy Definition Sets` | **13** |
-| `Policy Definitions` | **15** |
+| `Policy Definitions` | **14** |
The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Landing Zones Management Group**.
@@ -239,7 +239,6 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
| **Subnets should have a Network Security Group** | **Subnets should have a Network Security Group** | `Policy Definition`, **Custom** | This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level. | Deny |
| **Network interfaces should disable IP forwarding** | **Network interfaces should disable IP forwarding** | `Policy Definition`, **Built-in** | This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. | Deny |
| **Secure transfer to storage accounts should be enabled** | **Secure transfer to storage accounts should be enabled** | `Policy Definition`, **Built-in** | Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking | Audit |
-| **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | **Deploy Azure Policy Add-on to Azure Kubernetes Service clusters** | `Policy Definition`, **Built-in** | Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. | DeployIfNotExists |
| **Configure SQL servers to have auditing enabled to Log Analytics workspace** | **Configure SQL servers to have auditing enabled to Log Analytics workspace** | `Policy Definition`, **Built-in** | To ensure the operations performed against your SQL assets are captured, SQL servers should have auditing enabled. If auditing is not enabled, this policy will configure auditing events to flow to the specified Log Analytics workspace. | DeployIfNotExists |
| **Deploy Threat Detection on SQL servers** | **Configure Azure Defender to be enabled on SQL servers** | `Policy Definition`, **Built-in** | Enable Azure Defender on your Azure SQL Servers to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. | DeployIfNotExists |
| **Deploy TDE on SQL servers** | **Deploy TDE on SQL servers** | `Policy Definition`, **Built-in** | This policy ensures that Transparent Data Encryption is enabled on SQL Servers | DeployIfNotExists |
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index 264c7488ca..e9a0746f66 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -49,7 +49,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
### 🔃 Policy Refresh Q1 FY25
- Updated the initiative [Deploy-MDFC-Config_20240319](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) to the the newer version of DCSPM: [Configure Microsoft Defender CSPM plan](https://www.azadvertizer.net/azpolicyadvertizer/72f8cee7-2937-403d-84a1-a4e3e57f3c21.html)
-- Updated [ Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region.
+- Updated [Deploy-Private-DNS-Generic](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-Private-DNS-Generic.html) policy to include the ability to configure the location/region.
+- Removed duplicate assignment and portal option of [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://www.azadvertizer.net/azpolicyadvertizer/a8eff44f-8c92-45c3-a3fb-9880802d67a7.html) at Landing Zones scope, as this policy is assigned in the initiative [Deploy Microsoft Defender for Cloud configuration](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Deploy-MDFC-Config_20240319.html) at Intermediate Root scope.
### June 2024
diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx
index ef277d5bea..56b3f486f2 100644
Binary files a/docs/wiki/media/ALZ Policy Assignments v2.xlsx and b/docs/wiki/media/ALZ Policy Assignments v2.xlsx differ
diff --git a/eslzArm/eslz-portal.json b/eslzArm/eslz-portal.json
index 047668d1f5..5554a53771 100644
--- a/eslzArm/eslz-portal.json
+++ b/eslzArm/eslz-portal.json
@@ -831,26 +831,6 @@
]
}
},
- {
- "name": "enableAscForDns",
- "type": "Microsoft.Common.OptionsGroup",
- "label": "Enable Microsoft Defender for Cloud for DNS",
- "defaultValue": "Yes (recommended)",
- "toolTip": "If 'Yes' is selected, Microsoft Defender for Cloud will be enabled for DNS.
Uses the custom initiative Deploy Microsoft Defender for Cloud configuration.",
- "visible": "[and(equals(steps('management').enableAsc,'Yes'), or(equals(steps('basics').cloudEnvironment.selection, 'AzureCloud'), equals(steps('basics').cloudEnvironment.selection, 'AzureUSGovernment')))]",
- "constraints": {
- "allowedValues": [
- {
- "label": "Yes (recommended)",
- "value": "DeployIfNotExists"
- },
- {
- "label": "No",
- "value": "Disabled"
- }
- ]
- }
- },
{
"name": "enableAscForContainers",
"type": "Microsoft.Common.OptionsGroup",
@@ -3966,7 +3946,7 @@
"type": "Microsoft.Common.OptionsGroup",
"label": "Assign recommended policies to govern identity and domain controllers",
"defaultValue": "Yes (recommended)",
- "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, Azure Policy will be assigned at the scope to govern your identity resources.",
+ "toolTip": "If 'Yes' is selected when also adding a subscription for identity, Azure Policy will be assigned at the scope to govern your identity resources.",
"constraints": {
"allowedValues": [
{
@@ -4374,30 +4354,6 @@
},
"visible": "[equals(steps('management').enableLogAnalytics,'Yes')]"
},
- {
- "name": "enableAksPolicy",
- "type": "Microsoft.Common.OptionsGroup",
- "label": "Enable Kubernetes (AKS) for Azure Policy",
- "defaultValue": "Yes (recommended)",
- "toolTip": "If 'Yes' is selected the Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters will be enabled.
Uses the policy Deploy Azure Policy Add-on to Azure Kubernetes Service clusters.",
- "constraints": {
- "allowedValues": [
- {
- "label": "Yes (recommended)",
- "value": "Yes"
- },
- {
- "label": "Audit only",
- "value": "Audit"
- },
- {
- "label": "No",
- "value": "No"
- }
- ]
- },
- "visible": true
- },
{
"name": "denyAksPrivileged",
"type": "Microsoft.Common.OptionsGroup",
@@ -9073,7 +9029,6 @@
"enableVmMonitoring": "[steps('landingZones').lzSection.enableVmMonitoring]",
"enableVmssMonitoring": "[steps('landingZones').lzSection.enableVmssMonitoring]",
"enableVmHybridMonitoring": "[steps('landingZones').lzSection.enableVmHybridMonitoring]",
- "enableAksPolicy": "[steps('landingZones').lzSection.enableAksPolicy]",
"denyAksPrivileged": "[steps('landingZones').lzSection.denyAksPrivileged]",
"denyAksPrivilegedEscalation": "[steps('landingZones').lzSection.denyAksPrivilegedEscalation]",
"denyHttpIngressForAks": "[steps('landingZones').lzSection.denyHttpIngressForAks]",
diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index 2c25864a30..29f595d609 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -771,15 +771,6 @@
"description": "If 'Yes' is selected, policy will be assigned to enforce Hybrid VM monitoring."
}
},
- "enableAksPolicy": {
- "type": "string",
- "defaultValue": "No",
- "allowedValues": [
- "Yes",
- "Audit",
- "No"
- ]
- },
"denyAksPrivileged": {
"type": "string",
"defaultValue": "No",
@@ -1610,7 +1601,6 @@
"azVmssMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMSSMonitoringPolicyAssignment.json')]",
"azVmHybridMonitorPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMHybridMonitoringPolicyAssignment.json')]",
"azVmBackupPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-VMBackupPolicyAssignment.json')]",
- "azPolicyForAksPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json')]",
"aksPrivEscalationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivEscalationPolicyAssignment.json')]",
"aksPrivilegedPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-AksPrivilegedPolicyAssignment.json')]",
"tlsSslPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-DINE-APPEND-TLS-SSL-PolicyAssignment.json')]",
@@ -1735,7 +1725,6 @@
"azVmHybridMonitorPolicyDeploymentName": "[take(concat('alz-AzVmHybridMonitor', variables('deploymentSuffix')), 64)]",
"azBackupLzPolicyDeploymentName": "[take(concat('alz-AzBackupLz', variables('deploymentSuffix')), 64)]",
"azBackupIdentityPolicyDeploymentName": "[take(concat('alz-AzBackupIdentity', variables('deploymentSuffix')), 64)]",
- "azPolicyForAksPolicyDeploymentName": "[take(concat('alz-AksPolicy', variables('deploymentSuffix')), 64)]",
"aksPrivEscalationPolicyDeploymentName": "[take(concat('alz-AksPrivEsc', variables('deploymentSuffix')), 64)]",
"aksHttpsPolicyDeploymentName": "[take(concat('alz-AksHttps', variables('deploymentSuffix')), 64)]",
"aksPrivilegedPolicyDeploymentName": "[take(concat('alz-AksPrivileged', variables('deploymentSuffix')), 64)]",
@@ -6236,33 +6225,6 @@
}
}
},
- {
- // Assigning Azure Policy enablement policy for AKS to landing zones management group if condition is true
- "condition": "[or(equals(parameters('enableAksPolicy'), 'Yes'), equals(parameters('enableAksPolicy'), 'Audit'))]",
- "type": "Microsoft.Resources/deployments",
- "apiVersion": "2020-10-01",
- "name": "[variables('deploymentNames').azPolicyForAksPolicyDeploymentName]",
- "scope": "[variables('scopes').lzsManagementGroup]",
- "location": "[deployment().location]",
- "dependsOn": [
- "policyCompletion"
- ],
- "properties": {
- "mode": "Incremental",
- "templateLink": {
- "contentVersion": "1.0.0.0",
- "uri": "[variables('deploymentUris').azPolicyForAksPolicyAssignment]"
- },
- "parameters": {
- "topLevelManagementGroupPrefix": {
- "value": "[parameters('enterpriseScaleCompanyPrefix')]"
- },
- "enforcementMode": {
- "value": "[if(equals(parameters('enableaksPolicy'), 'Yes'), 'Default', 'DoNotEnforce')]"
- }
- }
- }
- },
{
// Assigning Aks Priv Escalation policy to landing zones management group if condition is true
"condition": "[or(equals(parameters('denyAksPrivilegedEscalation'), 'Yes'), equals(parameters('denyAksPrivilegedEscalation'), 'Audit'))]",
diff --git a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json
deleted file mode 100644
index 9079653de9..0000000000
--- a/eslzArm/managementGroupTemplates/policyAssignments/DINE-AksPolicyPolicyAssignment.json
+++ /dev/null
@@ -1,80 +0,0 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "topLevelManagementGroupPrefix": {
- "type": "string",
- "metadata": {
- "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
- }
- },
- "enforcementMode": {
- "type": "string",
- "allowedValues": [
- "Default",
- "DoNotEnforce"
- ],
- "defaultValue": "Default"
- }
- },
- "variables": {
- "policyDefinitions": {
- "deployAks": "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7"
- },
- "policyAssignmentNames": {
- "deployAks": "Deploy-AKS-Policy",
- "description": "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc.",
- "displayName": "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters"
- },
- "rbacAksContributor": "ed7f3fbd-7b88-4dd4-9017-9adb7ce333f8",
- "rbacAksPolicyAddon": "18ed5180-3e48-46fd-8541-4ea054d57064",
- "roleAssignmentNames": {
- "roleAssignmentNameAksContributor": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployAks))]",
- "roleAssignmentNameAksPolicyAddon": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').deployAks,'-PolicyAddon'))]"
- }
- },
- "resources": [
- {
- "type": "Microsoft.Authorization/policyAssignments",
- "apiVersion": "2022-06-01",
- "name": "[variables('policyAssignmentNames').deployAks]",
- "location": "[deployment().location]",
- "identity": {
- "type": "SystemAssigned"
- },
- "properties": {
- "description": "[variables('policyAssignmentNames').description]",
- "displayName": "[variables('policyAssignmentNames').displayName]",
- "policyDefinitionId": "[variables('policyDefinitions').deployAks]",
- "enforcementMode": "[parameters('enforcementMode')]"
- }
- },
- {
- "type": "Microsoft.Authorization/roleAssignments",
- "apiVersion": "2019-04-01-preview",
- "name": "[variables('roleAssignmentNames').roleAssignmentNameAksContributor]",
- "dependsOn": [
- "[variables('policyAssignmentNames').deployAks]"
- ],
- "properties": {
- "principalType": "ServicePrincipal",
- "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacAksContributor'))]",
- "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployAks), '2019-09-01', 'Full' ).identity.principalId]"
- }
- },
- {
- "type": "Microsoft.Authorization/roleAssignments",
- "apiVersion": "2019-04-01-preview",
- "name": "[variables('roleAssignmentNames').roleAssignmentNameAksPolicyAddon]",
- "dependsOn": [
- "[variables('policyAssignmentNames').deployAks]"
- ],
- "properties": {
- "principalType": "ServicePrincipal",
- "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacAksPolicyAddon'))]",
- "principalId": "[reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployAks), '2019-09-01', 'Full' ).identity.principalId]"
- }
- }
- ],
- "outputs": {}
-}
\ No newline at end of file