Merge branch 'main' into policy-refresh-q2fy25

.github/workflows/scorecard.yml

@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +68,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
         with:
           sarif_file: results.sarif

docs/wiki/ALZ-Policies-FAQ.md

@@ -12,6 +12,14 @@ We've had a number of issues and pull requests submitted specifically around the
 
 The reason for this is that the policies and initiatives in this repo are intended to be used as part of the ALZ deployment process, and are used to generate the ARM templates that are deployed to Azure. The leading `[` character is required to support the generation of the ARM templates.
 
+### Why does ALZ not promote the usage of User-Assigned Managed Identities for Policy Assignments?
+
+Whilst User-Assigned Managed Identities for Policy Assignments are now supported, there are a number of reasons why ALZ does not promote the usage of them. 
+
+The primary risk is that the User-Assigned Managed Identity created and used for one or more policy assignments is an over-permissioned identity; both in terms of RBAC roles it has assigned to it and also the scope/s that it has been assigned to. With the focus on least privilege and zero trust security principles, we believe in ALZ that the use of a User-Assigned Managed Identity for policy assignments is not the best practice and instead you should continue to use the system-assigned managed identity for your Azure policy assignments.
+
+Not only does using a system-assigned managed identity for policy assignments reduce the risk of over-permissioning, but it also reduces the complexity of managing the identity and its RBAC permissions and assignments as the lifecycle of the system-assigned managed identity is managed by Azure policy automatically with the lifecycle of the policy assignment it is associated with.
+
 ### Diagnostic Settings v2 (December 2023)
 
 There are several issues raised around Diagnostic Settings, and we acknowledge that this is a complex area that is causing a lot of pain.

docs/wiki/ALZ-Policies.md

@@ -44,6 +44,9 @@ AzAdvertizer also updates once per day!
 
 As part of a default deployment configuration, policy and policy set definitions are deployed at multiple levels within the Azure landing zone Management Group hierarchy as depicted within the below diagram.
 
+> [!IMPORTANT]
+> As part of the ALZ portal deployment/configuration, policy and policy set definitions are created only at the intermediate management group, e.g. `contoso` that is a child of the tenant root management group, created during the ALZ deployment. Our automation does not assign any policies to the tenant root management group scope, only the ALZ hierarchy it deploys and its children, e.g. `contoso` and below. This approach aligns with the Cloud Adoption Framework's best practices for Azure Policy assignment, ensuring clear delineation of policy application and avoiding unintended policy inheritance across the entire tenant. By placing policies only at the intermediary root and its child management groups, we maintain compliance, flexibility, and alignment with organizational governance requirements. And also allow multiple management groups hierarchies to exist in a single tenant such as the [canary approach](https://aka.ms/alz/canary#example-scenarios-and-outcomes)
+
 ![image](./media/MgmtGroups_Policies_v0.1.svg)
 
 The subsequent sections will provide a summary of policy sets and policy set definitions applied at each level of the Management Group hierarchy.

docs/wiki/ALZ-Resource-Provider-Recommendations.md

@@ -21,7 +21,6 @@ To successfully deploy an Enterprise-Scale with a predefined [template](https://
 * Microsoft.OperationalInsights
 * Microsoft.OperationsManagement
 * Microsoft.Automation
-* Microsoft.AlertsManagement
 * Microsoft.Security
 * Microsoft.Network
 * Microsoft.EventGrid

docs/wiki/Create-Landingzones.md

@@ -3,12 +3,13 @@
 The approach of "Subscription Vending", materializes and standardizes the ALZ "Subscription Democratization" Design Principle, by formulating a process for requesting, deploying and governing Azure Subscriptions, and by doing so enabling the Applications Teams to onboard their workloads in a fast, yet deterministic way.
 
 For further details, one can look into the following articles:
+
 - [Deploy Azure landing zones (Subscription Vending)](https://learn.microsoft.com/azure/architecture/landing-zones/landing-zone-deploy#subscription-vending)
 - [Subscription vending implementation guidance](https://learn.microsoft.com/azure/architecture/landing-zones/subscription-vending)
 
 The respective Bicep and Terraform automation / IaC Modules for Subscription Vending, can be found in:
 
-- [Bicep Subscription Vending](https://github.com/Azure/bicep-lz-vending)
+- [Bicep Subscription Vending](https://github.com/Azure/bicep-registry-modules/tree/main/avm/ptn/lz/sub-vending)
 - [Terraform Subscription Vending](https://registry.terraform.io/modules/Azure/lz-vending/azurerm/latest)
 
 More broader information on programmatical creation of Azure Subscriptions (EA/MCA/MPA) via the latest APIs, can be found on the following articles:

docs/wiki/FAQ.md

@@ -155,15 +155,13 @@ The Management Group Names/IDs created via the ALZ Portal Accelerator Deployment
   - `<Resource Prefix (Root ID)>-decommissioned`
   - `<Resource Prefix (Root ID)>-sandbox`
 
-## Why hasn't Azure landing zones migrated to the Azure Monitor Agent yet?
+## Azure Monitor Agent
 
-**Update January 2024** We have been working on the removal of MMA from ALZ and the first step in the overall removal process is to update the ALZ Portal reference implementation (greenfield deployments) which has now been updated. Our next step is to work on the deployment to Terraform and Bicep reference implementations which requires significant investment to minimise impact to existing customers and providing clear guidance for the transition. For more details please see [Azure Monitor Agent Update](./ALZ-AMA-Update.md).
+### What if we are not ready to make the switch (from MMA) and migrate to AMA, right now?
 
-### What if we are not ready to make the switch and migrate, right now?
+The log analytics agent (MMA) has retired as documented [here]( https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). Cloud ingestion services will gradually reduce support for MMA agents, which may result in compatibility issues over time. Ingestion for MMA will remain unchanged until February 1, 2025. You need to complete the migration to the Azure Monitor Agent before that date. 
 
-Another good question. You will need to plan, and complete, the migration to the Azure Monitor Agent before the Log Analytics Agent is retired as [documented here.](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/)
-
-### Where do I find more information about the Azure Monitor Baseline Alerts initiative included in the Azure landing zones Portal Accelerator?
+## Where do I find more information about the Azure Monitor Baseline Alerts initiative included in the Azure landing zones Portal Accelerator?
 
 Great question! As this is maintained in a repository outside of the Azure landing zones repository please refer to [Azure Monitor Baseline Alerts wiki](https://azure.github.io/azure-monitor-baseline-alerts/patterns/alz) for more details.
 

docs/wiki/Whats-new.md

@@ -2,6 +2,7 @@
 
 - [Updates](#updates)
   - [🔃 Policy Refresh Q2 FY25](#-policy-refresh-q2-fy25)
+  - [December 2024](#december-2024)
   - [November 2024](#november-2024)
   - [🔃 Policy Refresh Q1 FY25](#-policy-refresh-q1-fy25)
   - [October 2024](#october-2024)
@@ -64,6 +65,12 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - Updated initiative [Enforce-EncryptTransit_20240509](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-EncryptTransit_20240509.html) `AppServiceMinTlsVersion` parameter to include TLS version 1.3 (as supported by the policy).
 - Added new custom policies [Audit-Tags-Mandatory](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory.html) and [Audit-Tags-Mandatory-Rg](https://www.azadvertizer.net/azpolicyadvertizer/Audit-Tags-Mandatory-Rg.html) to support auditing for the existence of mandatory tags (based on an array of tags). Not assigned by default.
 
+### December 2024
+
+#### Tooling
+
+- Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2024-12-10). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation.
+
 ### November 2024
 
 #### Tooling
@@ -72,6 +79,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 - A bug was resolved in the Portal Accelerator that caused deployment validation to fail with the error message "The 'location' property must be specified for 'amba-id-amba-prod-001'". This event happened when a Log Analytics Workspace was not deployed, but Azure Monitor Baseline Alerts were enabled. This issue occurred because Azure Monitor Baseline Alerts depend on the management subscription, which is not provided if the Log Analytics Workspace is not deployed. To address this scenario, an additional section was implemented in the Baseline alerts and monitoring tab allowing the selection of a Management subscription when not deploying a Log Analytics Workspace.
 - Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2024-11-01). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation.
 
+#### Documentation
+
+- Link for the Bicep Subscription Vending changed to AVM (Azure Verified Modules)
+
 ### 🔃 Policy Refresh Q1 FY25
 
 - Updated ALZ custom policies enforcing minimum TLS versions to properly evaluate the minimum TLS version, ensuring services configured to deploy TLS 1.3 will successfully evaluate.

eslzArm/eslzArm.json

@@ -1679,7 +1679,7 @@
         },
         // Declaring root uris for external dependency repositories.
         "rootUris": {
-            "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2024-11-01/"
+            "monitorRepo": "https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/2024-12-10/"
         },
         // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ
         "azPrivateDnsPolicyAssignmentMapping": {
@@ -2274,6 +2274,30 @@
                     "enableAMBAServiceHealth": {
                         "value": "[parameters('enableServiceHealth')]"
                     },
+                    "enableAMBAHybridVM": {
+                        "value": "[parameters('enableAMBAHybridVM')]"
+                    },
+                    "enableAMBAKeyManagement": {
+                        "value": "[parameters('enableAMBAKeyManagement')]"
+                    },
+                    "enableAMBALoadBalancing": {
+                        "value": "[parameters('enableAMBALoadBalancing')]"
+                    },
+                    "enableAMBANetworkChanges": {
+                        "value": "[parameters('enableAMBANetworkChanges')]"
+                    },
+                    "enableAMBARecoveryServices": {
+                        "value": "[parameters('enableAMBARecoveryServices')]"
+                    },
+                    "enableAMBAStorage": {
+                        "value": "[parameters('enableAMBAStorage')]"
+                    },
+                    "enableAMBAVM": {
+                        "value": "[parameters('enableAMBAVM')]"
+                    },
+                    "enableAMBAWeb": {
+                        "value": "[parameters('enableAMBAWeb')]"
+                    },
                     "userAssignedManagedIdentityName": {
                         "value": "[parameters('userAssignedManagedIdentityName')]"
                     },
@@ -2283,9 +2307,6 @@
                     "ALZArmRoleId": {
                         "value": "[array(parameters('ambaAgArmRole'))]"
                     },
-                    "delayCount": {
-                        "value": "[parameters('delayCount')]"
-                    },
                     "ALZMonitorResourceGroupName": {
                         "value": "[parameters('monitorAlertsResourceGroup')]"
                     },
@@ -2298,30 +2319,6 @@
                     "managementSubscriptionId": {
                         "value": "[parameters('managementSubscriptionId')]"
                     },
-                    "enableAMBAHybridVM": {
-                        "value": "[parameters('enableAMBAHybridVM')]"
-                    },
-		            "enableAMBAKeyManagement": {
-                        "value": "[parameters('enableAMBAKeyManagement')]"
-                    },
-		            "enableAMBALoadBalancing": {
-                        "value": "[parameters('enableAMBALoadBalancing')]"
-                    },
-		            "enableAMBANetworkChanges": {
-                        "value": "[parameters('enableAMBANetworkChanges')]"
-                    },
-		            "enableAMBARecoveryServices": {
-                        "value": "[parameters('enableAMBARecoveryServices')]"
-                    },
-		            "enableAMBAStorage": {
-                        "value": "[parameters('enableAMBAStorage')]"
-                    },
-		            "enableAMBAVM": {
-                        "value": "[parameters('enableAMBAVM')]"
-                    },
-		            "enableAMBAWeb": {
-                        "value": "[parameters('enableAMBAWeb')]"
-                    },
                     "deployALZPortalAccelerator": {
                         "value": "Yes"
                     }
@@ -2380,6 +2377,30 @@
                     "enableAMBAServiceHealth": {
                         "value": "[parameters('enableServiceHealth')]"
                     },
+                    "enableAMBAHybridVM": {
+                        "value": "[parameters('enableAMBAHybridVM')]"
+                    },
+                    "enableAMBAKeyManagement": {
+                        "value": "[parameters('enableAMBAKeyManagement')]"
+                    },
+                    "enableAMBALoadBalancing": {
+                        "value": "[parameters('enableAMBALoadBalancing')]"
+                    },
+                    "enableAMBANetworkChanges": {
+                        "value": "[parameters('enableAMBANetworkChanges')]"
+                    },
+                    "enableAMBARecoveryServices": {
+                        "value": "[parameters('enableAMBARecoveryServices')]"
+                    },
+                    "enableAMBAStorage": {
+                        "value": "[parameters('enableAMBAStorage')]"
+                    },
+                    "enableAMBAVM": {
+                        "value": "[parameters('enableAMBAVM')]"
+                    },
+                    "enableAMBAWeb": {
+                        "value": "[parameters('enableAMBAWeb')]"
+                    },
                     "userAssignedManagedIdentityName": {
                         "value": "[parameters('userAssignedManagedIdentityName')]"
                     },
@@ -2389,9 +2410,6 @@
                     "ALZArmRoleId": {
                         "value": "[array(parameters('ambaAgArmRole'))]"
                     },
-                    "delayCount": {
-                        "value": "[parameters('delayCount')]"
-                    },
                     "ALZMonitorResourceGroupName": {
                         "value": "[parameters('monitorAlertsResourceGroup')]"
                     },
@@ -2404,24 +2422,7 @@
                     "managementSubscriptionId": {
                         "value": "[parameters('singlePlatformSubscriptionId')]"
                     },
-		            "enableAMBALoadBalancing": {
-                        "value": "[parameters('enableAMBALoadBalancing')]"
-                    },
-		            "enableAMBANetworkChanges": {
-                        "value": "[parameters('enableAMBANetworkChanges')]"
-                    },
-		            "enableAMBARecoveryServices": {
-                        "value": "[parameters('enableAMBARecoveryServices')]"
-                    },
-		            "enableAMBAStorage": {
-                        "value": "[parameters('enableAMBAStorage')]"
-                    },
-		            "enableAMBAVM": {
-                        "value": "[parameters('enableAMBAVM')]"
-                    },
-		            "enableAMBAWeb": {
-                        "value": "[parameters('enableAMBAWeb')]"
-                    },
+
                     "deployALZPortalAccelerator": {
                         "value": "Yes"
                     }

src/portal/release.json

@@ -1,5 +1,5 @@
 {
-    "azureLandingZoneTemplateDetailsUri": "https://github.com/Azure/Enterprise-Scale/tree/2024-11-05",
-    "templateUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-11-05/eslzArm/eslzArm.json",
-    "uiFormDefinitionUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-11-05/eslzArm/eslz-portal.json"
+    "azureLandingZoneTemplateDetailsUri": "https://github.com/Azure/Enterprise-Scale/tree/2024-12-10",
+    "templateUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-12-10/eslzArm/eslzArm.json",
+    "uiFormDefinitionUri": "https://raw.githubusercontent.com/Azure/Enterprise-Scale/2024-12-10/eslzArm/eslz-portal.json"
 }