From 1da409ca8b46e74fa25857f8e957b98db910d024 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 14 Dec 2023 20:02:14 +0400
Subject: [PATCH 1/8] Here Comes the Rain

---
 docs/wiki/ALZ-Policies.md                     |   3 +-
 docs/wiki/Whats-new.md                        |   1 +
 .../wiki/media/ALZ Policy Assignments v2.xlsx | Bin 37070 -> 37300 bytes
 ...IT-ResourceRGLocationPolicyAssignment.json |  72 ++++++++++++++++++
 .../Audit-ResourceRGLocation.json             |  58 ++++++++++++++
 src/templates/policies.bicep                  |   1 +
 6 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
 create mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json

diff --git a/docs/wiki/ALZ-Policies.md b/docs/wiki/ALZ-Policies.md
index cef05074be..5be1df643a 100644
--- a/docs/wiki/ALZ-Policies.md
+++ b/docs/wiki/ALZ-Policies.md
@@ -68,7 +68,7 @@ This management group is a parent to all the other management groups created wit
 | **Policy Type**           | **Count** |
 | :---                      |   :---:   |
 | `Policy Definition Sets`  | **11**     |
-| `Policy Definitions`      | **2**     |
+| `Policy Definitions`      | **3**     |
 </td></tr> </table>
 
 The table below provides the specific **Custom** and **Built-in** **policy definitions** and **policy definitions sets** assigned at the **Intermediate Root Management Group**.
@@ -89,6 +89,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
 | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | **Deny Virtual Machines and Virtual Machine Scale Sets from not using OS Managed Disks** | `Policy Definition`, **Built-In**     | Deny virtual machines not using managed disk. It checks the managedDisk property on virtual machine OS Disk fields.                                                                                                                                                                                                                         | Deny                   |
 | **Deploy Azure Monitor Baseline Alerts for Service Health** | **Deploy Azure Monitor Baseline Alerts for Service Health** | `Policy Definition Set`, **Custom**     | Deploys service health alerts, action group and alert processing rule. For more detail on policies included please refer to https://aka.ms/amba/alz/wiki under Policy Initiatives/Service Health initiative. | DeployIfNotExists                   |
 | **Resources should be Zone Resilient** | **Resources should be Zone Resilient** | `Policy Definition Set`, **Built-in**     | Some resource types can be deployed Zone Redundant (e.g. SQL Databases); some can be deploy Zone Aligned (e.g. Virtual Machines); and some can be deployed either Zone Aligned or Zone Redundant (e.g. Virtual Machine Scale Sets). Being zone aligned does not guarantee resilience, but it is the foundation on which a resilient solution can be built (e.g. three Virtual Machine Scale Sets zone aligned to three different zones in the same region with a load balancer). See https://aka.ms/AZResilience for more info. | Audit                   |
+| **Resource Group and Resource locations should match** | **Resource Group and Resource locations should match** | `Policy Definition`, **Built-in**     | In order to improve resilience and reliability, you need to be aware of where resources are deployed. To aid this awareness, ensure that the location of the resource group matches the location of the resources it contains. | Audit                   |
 
 ### Platform
 
diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index 3af120131e..f908117221 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -45,6 +45,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 #### Policy
 
 - Added new initiative default assignment at the Intermediate Root Management Group for [Resources should be Zone Resilient](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/130fb88f-0fc9-4678-bfe1-31022d71c7d5.html) in Audit mode.
+- Added new custom policy and default assignment at the Intermediate Root Management Group for "Resource Group and Resource locations should match", which will help customers better manage and identify regionally deployed resources and ultimately support improved resilience.
 
 ### November 2023
 
diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx
index 5e8dc4529f7bb780ad9e633ca2ee98c87e4a2476..86aad013cdf896bbf1d3fa737710e77bd9c18666 100644
GIT binary patch
delta 12107
zcmY*<Wl$WzvhK3DySuwP!5xCTyGwAFWg!sUHW1w1-95Ow26qeYA-tS(U)6nYeoWO!
zcYo9MO;=4%Pv--h3W0V0@UXYYE<djzAb1jxv&)_U#^2!i_isj8_F~0Rce0U4mExn$
zs+UMmD_c2<i3%w7@_Sj%NZQRG@58&rp6!Nio0VnR_1PmclfvBXFKw*Imr<?~`b%?j
z&BcyIiu$sZ)^Z;~$pqjU#HdOX{3<Ha_jH7J%ctYqFMP4JN3qpBfHG;hnc^y`1sr>j
ziXuymzB1FQK8J|~BAsbQ!4Zrt6}@z7xV>SjOKO_VD;nj&53{<V&=MM((+--HUtm`a
zGsJrt6-PI5=7rBYij%tM>+<^g(1TfcTB7`U9XchumkkyqGsvz1F~ZIhyT?Dp8qDg@
z`TLjGv}u(Ev7IPuq1JyTiQbXx(@DC3B<n;H`mN<_#>TL<1%(^-{(jPbkz@J5MbQ_F
zjSx48(~(5j`ZU)?&2M<M#bPHx<~_gUY781K9@olugvE1DR99$--vUCMM>Ao2Y62V$
z`f4^MTWT{m3$wnFpo|7-$qz8IDCBBm6}6Q9Eo^Y8dlQ7lbfmsr$#4fYLt_C!K4ydV
zk;fL1)-~0Bb8`^aSLT%5<vYys^t5<KG%rRPtvydblfY^y!9EVYRYtv*62GTRDeV|T
zPR<E-F8)uD8iR^<h!Vnh{PXXZ4FD8~j7&@5yHVKj#xoih=dfxb{-`L2)A%DEFd<7n
z<rZVgWPQ}ldAlBE=4K<}yloT|iPdSns{YBL*^rE2OV>5x&3ydY;OOl;^GW<~$>5om
z-#3qSVO6fmjk-ka%YSFo?)ZP2Usby6@wUP%^6hDpj4!q%G>xy86cVfKFsh67vV}C;
zdz0JK-NpZg=?OA=lRn{sALm0_q|yQxEYFz&OS7Moh>7{44I(z=Qs-ho8_?8tYi?qX
zSu|*S5y^f7<)?*x)#=R@bHScZrF>Sf%DK(*2pv^g5S)y|``%Twd$%Qj?d#q2Z)Xm{
znUsg;y&))qoYN-WswOSO)+A+CRuas~<w7tP^vgM0PKH{C4=ni=Efy>{B*+Eh*!Q1A
zUBgBXcqSrWiB31sx4lk5KiPHXaFJ?*J8x&>{M;$!?^y}kC`sLwmE&I5M;oAJa-0sc
z6Q@vU<tT|qn+sBxyipx@d?SdPoT*(&H%>b1MXn9Pd}kf+%R~cqKj!{qj-#V*YYuUZ
z7^w)T=&D^(H=IbMY4K>`0=G3AMA%RC(bPP#zZ0-Ign9b+IQqId@A<OgJi(h3MBB>g
zwD<bjo}*44Ifot+`KLPQ#*tQVuGNy^<9CJ!ZEfFYxZ*I&J-UFdb_lxIN5j8Cz9FMO
zifya@W)}|NPn#rzd`6dh>K5qu6Uaj(V@ek$hNheLK`?7Pu(Ue5C_Gy9#t+%G!EOAG
zYyw0|dOOO_CjbBz!XST8DL|X?>l_&2SIiHjRNIh2H!K9Is#Rm1%@%xZP;K0PNV7uL
zx($?e&{MoJR$?NPUKB^f>ULJT;Mm0%Q{63QU4v0NxmEO}5n?*zxhjwQ{kH|XP+?~~
z%~?f0VLAAkxy?WCoogx;_}#m|e8ufN<N1c07AR(&emYhJt=+=?{tnVuTI^G8M)Rx`
zVEvWffmFbu6qXSUM~bNFg({U=Z1zXJ!Fh_<<12%SI`r#<Y*R<+(gl%`^3p^LDW`sG
zh+dRpT38rWt<A!*7d5W2w%QZf$alX0*jxm*`BJwJQ>zMCO^u29XK}Rn4EBkcP?kI=
z3gcxEF5C!suXX_K`YR}Uiw=<<npvoSl-T?f(0Hk_P|e_e56=!s{8j2Joh&09jW{j)
zL>MJIahNPDN~6$Z^c6H0sDqGJS3R!TH8}@V6{917y-VkwRqgkAb-E<%cpYY*M)^iV
z;3wOX>t|2qtG)I!uTRLE_Ao}|6(v(rzF-qG^D7s%$&1??y)X!F<-^<Wk|-HYYWdEq
zc4w^pPs}Zn$-J{QnbpH*92-bsR4$F15Fve8@00d#QP=t{f<(eMPS0TjM*|YFcAFi0
zj3eyK<T0e@>&vA9(M&Ui4j(rkD>+N@Z-n(u&S=ZUb>Ezule~UxJ~&eJ$&*4^$WbJz
z%Hv>>7*B+V3Ppe}ZA+;-m0`6m5HLOg(NvW?Dljn4F)#u!cb%!`;{o;5gU`!4A#zzr
zkwKLFXfRvV|K@Zt-}Z0P23OE|&j~OB;GU0L@-2MN$-7}=dQwLdEJ?ndrt{`)f7IiX
zkz^!~*>~8g_Hh`!i3<jNKm!0DAAtXKSy{VZi23nA;if~^&@_9K@(sxR;vz~`Q-%av
zfcJ%x$i~gbOP?b1%Uwa!A>{Y<FV|DF#f6`@0!D9sp4Xc8{vDkW%MlX^{CMomyb{|k
z*~nZG%K?G1Kh8^=(m!TqS~oAJCP1d3z_-hZ)~jBT4*~ApoWHhj<~{*;x<omq!LKvh
zFX!i=iIweR&{p7yi<n4PR_MEXv^N^Z$J_azT2S!1aNwW2g`XooB!z{N94tHwDx)r>
zO|f&c2^{ufus1RU1nMiJ=;<GM-8}bd=t{!ddb|DJhUeekiSOKWPL(V4e<)T!=r)2h
zAq$qasN1r>2_T)zxhR^3IA<DYs`+3z>85uOFfuX#AiWp_ls*t)lkfezC$nuY(Q>?f
zQ@2^<bID|UL{ReC=V`YliMe!y?R-yqeS)4eDk&iYtZq$m%42Cq^D>OqSH^=QyI^A;
z(aaa1oE2^#%?;m9XRnfAj5iWRLv9HpEh+;iT?{1+fx{TPfu^X4rOsx79)Z=TSEdIo
zWaAZ;PvChfYzBGoeiHG~C!iO4>5&z;N*ar&!G$ZZn+6nYpip$o015~jDN;BxIFRRY
zY_|4l719<ge|WhSK*&#5WgDnVkfqg)Nlp(-g8|aP0M(FD_RBU3M`Qn&VrAs{MQc?=
z?jKfnbYAr||6{{{(|TRrd+;mBZIF+UKpq<o1NR@e^8HY)0eO{w68}sbvzq_*CO`7J
zE@1ngqn~-kAaW2A7>|>1THDd+TcGuw&_PF*Y`K{qb@|ptd6lQ(l`u{l>17JM>5ONQ
zb+E)?m#>J@^;wx|5y>eL5h>smKyxsmh9?c3wQ*=$m&6P;ae$QVr#Fu}9#9^+i$7-*
zmx7$_0H=qoLRi#q>TouRL3`XBbQnXJ+30;V+L3!F@tSE5<9sKnnrSW4XJ}b8NKJh9
zrw;6j2l7OoUSR@o)*(hT1j;dXBucshA>JKtYI)g$&=axCF-EO(a81$<=bpv9iR)Vc
z3I(wn0x*|E2WS=3Qb@w1ci}KzG~KEnd)naqD^Odg{1X>$Sv9sktkibZuEqv4fadZ5
zI{}jc`rrk|xa$;VQbnf;8s+Fk8oW5o2tEr;eh6ezGo*J%&9Iho$b<_i%Dz;Ztz`br
zm~5@tC)7t+?gyC7zErk~ECZ<lmzdINiJCC5{1B2hLFJc}SyC&sX10$iFyjDyQ|VZ1
z>@)zg)UDG28AIZ!G+6rD5|Iag&4pK|)Mi#I57fZ8*<ES;QW(V&-gK3LcKXsk5iUSs
z>|zZg07SBmJdlK~g3U@w!6X~Sj<#`@WK~O1>o8EYR{TI%y4>P#H(<CWSf4Q2FqdC^
zsbs_lfw{zc1i`rGr_$UF$ypSYR0zpMpHl5txW@4Ka8Hy=QdUeSq~oQEqOZ3C5~D=v
z9CnvVV#L!aHu6TbX2XQcS{#<=%nU0h7?Yb-k(++IcE+Lbr|fR&^l1OoW%f#WPwc`Z
zFJcLz8BP_6q*f{sSl)$WL5Q}DA)Ay7Hc-U?$qk9(*=+7sENhx)q?q^!-RfXdsYzw!
zR<_bDAf%}zd>%&l4%N^dMexbU80~o_$glJpH9V5laV3uYQwdfX6V>E9n_6S!$!K(B
zR&c;^Z%Xaq4M``SM`blO=WVr>nUe=__=1Y)v$3n$BwK;N`ZivPA|3Al@`4Io10~fM
z=zz4_@jz)MT^@?TCn*LgDHDk&Z49Tq3ILwOW^b&4C<KRSg0~>2#$&H^h%XqJ`CZuC
z<4hl`P=&D4A!B{MT(C|Ek&O$tV1jD0$hp0Ij&mywbQ>n6PwAs!2wHyG|3U}m!<m0D
z6nNew4<)e@r;gH<qw{$mJjpU3Ua|nfDr=#1T0&mOAYJ>9a!jB6EOlgO;RMqwlW{9E
zBf7R*Ggz3(kyK$bmh_PN?6E7JvKY~nnWca5DX5mho_1=IxNT0ooavzViC|F>h(4o=
zn05JI*FT;erwE+Gs{V*9=Wvc24T^M9+zRQGoh@=)<MoF6N91DPzL36t(7g~Ts!g%L
zq`^!<0<D^{NZE&4o;Rb)Un!dOu8%E4MzmOMKW93h+4IUb@mN-0j?^4;@vQE^R@K4P
z(AHROT8Ojae|+gqMwOZTbW($9gfm-3-U;{)bxVs5OjqPd(?&=0dk_a#`RnD$K45gg
z&Ox9sG0y%Nb)RRd_342gFwD3(=&(5ytPAR!{3&EB;VpR5ku+2GGL*vY=`=ybPp-i=
z#Yu12{!4yE0{%$^1S_K>w}x9B<ke(mEE6<lI>%DS`xTbv%S4+||46h>l=OtruJ$Y7
z=`!kIGMmg)oWz=ogAJ<<%0DP&c>WNL03T8G2U*n*ffRXv)nX8bbJD0!B#Zafai{F`
zuX5_G)^wCu#{)OvBr_JTL30-7pZ3#dO?WodbKN=mI3?9{DLqnGQ|*p0{4|T+Ap%cl
zLV$gu7rh$HNx9os@w+*0af^F|I*t@s12BF`HKslq7^&;2WrH_#12g%Gda!*3LThG3
z-4<i!NIE%kivX%ZzJ!>G8qc3s!y3eVzqqdzcVVhl`F;L0FzOlEMF1Dq`luj60JZ)t
z{y))22-XRnWHNaS`X%&u@+@vtLy$$uOR*AM!d2L!VkIo?O?%ZPl9^R+SQC^vHh3b)
z%F(k2=B?*UF_ZLHLk?S$a5i6Fvx099w`cdW5}IsZ0|ifU?FilP;5jXNM~V|t%+Qff
zc@+?r-vGk=qU69;!yd<!Yt{!`28N6cWEwll#iBbR00^JXkpzCNT7-O!*3J?1^eA6h
z$WsWoYTgj2P5j+hjx8xe5%oX>#>7}iY~{oetk5DM^N;(8u(8EBXeFP?#Zxs1<e8&@
zOOmG`KWFf|WD*qSYCfFZQFAhY4%Od`_+Ml`YsV_&!{qedN2cVB#?bgwEB?bJ@Lx>E
z`FBl<foy{SAH@42%h-RARm(%r!C~cwFo~O9#p3>oAQrXD&a+BoSO;XUVq8v`Dg-m3
z01s}Ub;w0i6v1ak4i=%!B8Eh7b)NGrE|3FZHCBc0OqsMp4j-!SE9UX>nX&_$<U#Em
zMbYLLm~n(L(_+fu@1YY|uSfk*z!x?du=K4ZqSlqh>#`Dfozbh9nN$4fx8mF-%sVqL
zj)JM-s6ZAIZW}T<>=f5Ml%>>;V}h|4HR=BEhL)@&v&^)#)sN7}&6EN%)6H8j1xSB_
zTf9dZwhEC%2|WjJn^mBHKBkG-R70P<)tHO4sB<>{858>cr3S}{bak}W<EwnOBq4=v
zw8{6xiN8F~-O&MnQDmg&KZea#pYuBM)Kpu<or_2FA`fsjwd#V9@~Xx6F+#Y+Yqa|E
z`ugwxB8lf{@;C+=cEDuF1cAt>P(abZ<`j*vy}j*If|I}C9zN(<vs+&ZYj=w2W56A4
z9|>?$Gei(Bt(-&IzC~9E>-hLSNLiUGM5C5TCQm8RyJOI<{#%$m79|bh?bk$|0N9F^
zPa>}DYKBa=G#Tv3Uv`ls=YM1Z6uS+uFd49|Bw_#Z!3@n=-vJV<y$R%PJh52Rsv&>8
zOMvg4D&*TAtH&QukP#w&xK!CagnSkV3^4`N9|$e6IEc(;i=FSdbn39O5OVn#cy~J#
zlRz#e>LSYf{;gq)O*G}<&U&rKPBgn#1%LC<qJ5Pu<8n`G?bqKJ{PwKe8n#pA8tmdF
zcRdm@v9+A+Er~DP2sLywT6Ee`(h@K#V{*Aohz)p4#s|4`6^I5DVifCLcJV(dr@ZH!
zPezv9^gw*2KlWqZW{YD|Vd=&;jFOO4G_Um&`IeWMY-)Ye!fWVf56$!LB>1Gne9!cc
z6}%egOE1KypW=2K^p@M+o^c_RuK0{28PFhC9PMER7*+udd7WU<dz(=55!c9BN0HI_
zl+>n{<i$QxzkOar^Df-%(`tv``?Z1D8rdYAwjh*iVpR!R6`ft^C8e~%L8m{LFk;ht
z7|+!$Mhetrj?uJ3ft1_+s&UL2`kU+dr&s$=ETf8R8L>JH2K2*!FmWC93T^yYpP`=x
zGXnu6!~3FrMZ)1+2A}lhanBQZjWiwCCF6LEH`b<`o!S!Cb=0+lZLv7vn=($4tm+FQ
zw?Tx*?r5Pive|El4kZ1$g^v~N1*f#Q%aksiHhCrR!JEt*E!mLnUs1f3ZD^B-l4^wI
z2e>krwEoKR=?b|b6OCoCLc7Yko~q)P(JT?I$$BxvEYh`@55eLC=+kIHmEFs_^?xl*
z`8F%RczJJCO`vBk-9AmNy^yO+)CGAhMS(!{Kd+?Y#5~>!djHNRxy-z5`(pnY5=Gd$
zJ4P|x|7i2S@OKNm%@o%CCG5jRqSx??JClJPyi1WrYbz+1&TVQxQdD#Kr#!!UD~ss%
zcclmGk3-t-ZadCBliqGqq}X&$4<<z}YRouf@dzRfJlFyCr|B7f3eIeRC9fFjb|)wX
zuQ2Uz^J-2NTg&}|jn8;R#e5WHVk9wR%J5_@kg{dIC@uNgO*C=AWQKeSiLQINGp9M&
zmFJ!e_k^<~i#gPPjW5hefBVy&^BssB=4x~I4pe*m+WzNQ82-Rtx&1aRTK{vCeiWj!
z46U0}m4Ds}l4pe>n-7J*7VEdA4rY)RYv;q^%j4C#O}oC6j~=XUhlMtcracEHE$3LJ
z5F}P{ah>D4qDZELyU@~eq2C<oa#X?lhYY3?>(5nV;WJ;Bb(HBOj`-q+Evw%iN_X<5
z++eW`DCI<<m3)TRh>kr8^YtVpqH=qTo|}2RUBXUsGisS|&)GpP4CY;^PdcE~<eKc8
z$xoMy!WW-lKIR5(frgwMN=E`Gac~~$>l&Ig)aD@_D6(Vy+uy4Dmw76M{pkC6HR5ra
zCkDGXPUNC={d)Ar?b(l2^FL8o{>;PCb32A*+*IJm&WEKMA;Iphk9%)nwfpCp!(GE!
zlNoLFCJI|ewFL&k6O$BR`whrYhcn~5Qp@m^?S@v~P3d*_FiLeY5lk&<qVtabA|G|i
zxj!ev7Ot^(V;uKr8b`xo$og_h9!4SUb>Fx`In&UQenl5|My}*@(P;`hnnRygh)ATQ
zGowgd*c0cRfoP!RKr4FaQ|sWl*;kjD<9IC(nhflL9~xzqdWF0K@<<@<d@&d}1sp9@
z+!XE!Ka=F~@)F{dVV4Rv@dvD<OsXGpq_~j&ER_rtfz-KWp`^pWB&FjfUnI=?j{9ot
ztXDFB`FyD`T5&r9%e47$`-KV@rP@dF>%XZ-BrF?`F9*6ahfj^wSY`u6RmKtv@mrb^
z_P}E>VYb$g^5Vb@`36X9JRa$$vN6u5#21R~;vJx4)I_(98mdQMboS{G4z#(^lg{)D
zzCR$~IjQN%!zUh<^w-8$5BEID9cK))oPIN{j4(?$Qi-S|)}M?&aT08Xuz`cbn|r=Q
zk$zzg=Wry%jigm#W6B#h-p@`Fft{8c(EY6#+;4%mmB+tHh?_vd`*c68a8Ml9809GY
zxgYe~iM)P<XW3$%#V-X={Pd){*yfw+bXd!+#hbW{ADi&?#@rHGl1N~*VI3mU!k>~T
z1?0~xirBu#h>6f*?TPc9+KRnj`rqWQ;f;%R7v}0taD@pu{3h+XSCrD_Xgf2>lZMgM
zX3h3$$@szNb2JA6cg<N`0@A7N>#Xlf`VZ8ok~@|i^!;_eGd?XzPVIiSA&ruW|I2cX
zN>@v7-2X#`s=@4NX&`(0k6k@S@6fd|bLTYQqT;q>F*snr=3dLQFhC5Y<zc16e84KU
zS<;t<3&Vkjv6w2HW1USqT8HbJkh7OWO>;y>IGq2}n!o}G0eU1n;XB|Rk<Ai)m4peQ
zBIeFfkpoQHZ`{-ramKtAON-LpF-$dvXkERFX_)bnBw#!uoWVCU(v7gpy#khdknN}C
z7a<f_F4SYg%3)-7Zf*Py&UBQKA9R*%0KX-!a3v<1D5ROywA`iUXGHto*ue>YAol3d
zfjaD#-#bA1Szk`r4{vj)hEC&MlDm0PN+|6IeQ8_~lPBCOnt8Yg$wENEnLODJg;DO2
zLBsevyCb=b_-S*tPte)etw;qq03i#c!Wn^c=t0lxF_?+#AhIi-*<10LVa6?=sRkF_
z-rvu3Ud~o9IwNxGcxLMD<Dq_WhIKeuxC%215#=Bks$5CpCUq%$PLcI~9s)3js=-pr
zpg)-1M9H>BWL80DnS!@O_85Z&Ot~yhk}fN0>qy8a{cH85OHEUOCxgLMS>vZn@9O+<
z{vCDdh+lg;=_lTc@r>QO{ALPz-;hLP3@L39Z*;cn*1P5J8PlXMIC4{-SurNKX|SX!
zYkUwrYB~^fF@H-Gai*6iTF%jaub}8gk8yP?am7j{w}1EG0QvCWcu1;ySv^nbI_0-H
zhFQkdG>Wp}#2x%kyzI$xc<#tgj4JE60qfW`waJ)3v^sf`VA{{K_XUqIB{gU3Le#(h
z{5JR0aoH91$C~yzI5+w`a%-Xa+M6<U28@5CGv5GxtlVAhIo%-Y66j34VfqY2tefL8
zK~-XJ(fS(?eE!mIrL88P{?bL}e6f*mjl&<6K5St;Fk91?yW^klhPXC2Yp}{XA0>Oq
zBGQZ|tcL-(5C)4VG@%vu%eop5>L|iLg&+=Jd3Hh13?yz1Wh)zu>NlE2eVX)1*$FGu
zlpBBq(4c@a0hOf$45kYLuIjKR{Q@=ZM5xw?!M0SlpX?LN396OvXjHe_C2w$`p-^T#
zI0<f1p%>T%F7dPy1YGi^B>>Ia`n!%`BZR~$v>%ScU8DP4Mvzp|4l76ORcKs6=Y_LA
z$6^ry4Ob0&m{g5{ztAz9Xb+K&%+nNmOm^}OFZ!U-QVS(gdC7={8>+?Iw5^nfZ!)@n
zjWQN4$KDqoDG_ybEwe_7p+__(^B-ML={k^Boa)ws%^rjfy$az(VQM@3V>k3B=68FR
zEdtu5E}3lHUKBAKh=QP7)kjO$ld2j*QP4~>{H8wnGqo=HQoQ&=zbH34#ZTz#|5lPN
zl8ys4Q`Ph$@@@@QjBJo1GLKHyNmNRYy7!1Byq@7*gAevlcUDB|rU&^AtiML{4j~Mn
zbm~DY^`b3{=^Dm>vHM^*_flsPJ1UE>sMQ|O_2ykd5fhGirLgrd?Ks_s*_X9XI14d^
zP)gKN+0syCK(;tq7ml`U^SqUAGlu!|;U{Yg|J`enk*5-Ua`x0rTiqx9_|>}`K+W$o
zqmM4*>|P>}<nN}+OK-2o!zBg#*9J1veE)AtNQ)=0uxz~XS8p{=?9;i`%gA5<I7IXc
z3Bjj?9<8e+tj7JIFby=S2CZd%Z+QO;`tNUnKOGMlS`VYpFB=>Hpji_DzyUyZWAH!+
zMw{*%vZ+1W6+z$FHe-#g6<g?|8VNTvzcZ{=$aAfHzf^2_EI{N@kfsR9gBn|0m~5Pc
zO!=tr|AlHOXUM5u&lI4V1s#6`9`l%dyq^o<v@$J8kaP?Bx;_69FB^?{r!eRdeD)0D
zd%Y1qQIhRJ*_ZDYTxAHlero-AA+H5BPs0q$zE1TsO(f^W$2YZVIF_UDOUw8+L@qQ>
zUfXsE&nr|E)#@r*pI@IG-W`jPR9j<^BCt;vUQG2@>awFrlfm{LpAG)Gz3n7N+v-{F
z-&k4Os9)~qGN@$0=0<Ofq5pA}(<3^*)gxMfFT`#<*6bjbQznA}OQ^#5N@fajNuExG
z7}?&uo(P~1utauXJFuf-Wz@f)c-E_#EdPBlPVAmJF7Qrkq_|)a>LGtKlf(N}sbvH+
zryP)R$Dny?@B*Iv{!B2E?M26gxF6Ss(#5lULxnBS5gn)mA0G+fm<~!5F@Tv6P6^r&
zqZis8y9CIre-f&PFtS<^L_2|s2M-S}r0r6`Up~Jpo%}LHEN{JH>_-b5MgIaV_JdNk
zv=v;+q37pEWJSF0N!N{XCqWYanlWfkhiBi#H(_1h7Wu=1WXu%;n}g@$=3j_?`Y;Mq
zKM8chwJkM;&OSwRnW<Hg^MvzgvL}JtDzW&r>(ViC-#x~bGa8_O`^o{*(3dNj$|_7y
z9Pv9VpQA~fs3GC%JXObWBr%#~*@R`_>Y33DH%&{;_AsdhvSNvnx_y3T5z5eC#lU3U
z3r|!43e}CS`e}A@#zrc1{I)tnmba;gaF|Ha^;I>GYgizfK$1v>`>KAL*x=BV#g{+r
zMq_)C5V#YK`61lI=Tm{)kai;mQ+Zk}{DGf}=i~hvV(ZvRe~#8Hb6uA48)mAn{4$cN
zM6zi)?xRDB!z~XjUs?^_rQ+tNn1aEV2hR&EQt8p>Qw1o}GdwVBn{*A=iZ<#=5t(tN
zY<mp4KkYrzGM2p_i;cqD2|)Q#qp!TmZ&|LtysFhjj;W1Q%{GBB8|#<#QReIv(!c3b
zLYCUmhS=TMgb@<R&2shI`lSzWDJm0p&xUM)vR_!K+qI|wm<BL?{m_JdNS^b02(nat
zFwnvmk$VD9VHfE;Acv#<^fZ_Zn4ecEn>QD$3Oev>of~R;?L6Fir&b;xFAatFVOPn!
zJ*e}sRaXZ76v&{}2N-T)TFkssA$5~F1Pbi+XLBjL$H@tvX>6{CyLomjW+ZIN=NC<c
zuU-93(BrD}NuxM_JLSS-d7Wmvr=m<=K|NLXOHr8k4vgJ#1X0dbUafc{M)g`fJX*3^
z)aKe|txuNA$Nlzjgx+Hr>b9#FHw4}cJL*fSRC<x9BzT~&U*l!sX;o9p?^E)7LI&m&
zT;W#HiY^Je*{ERKso<gb8_nG`O}TN^%@oBTf7E@U{8&`KDI7&2Uvm?3bw=hrVMdWf
z-^phgWf3F0;UDL-AEoV^{Hkdl-l+3HN=+>=R6Pyuy?b%z3kW<VJj!%b0>mslJmGA|
ziNJipVNC)>w11PfMzPIS5=8BEoh;;*zIM#0=K{v>rtbQKepzHmuv#&M%C?xudW?5#
zZIl@jw&8G16s(q$@URi|^5t}zm&oRKXy^BVc6i@d+i024F091KAQ@=hHbmpG4b_iZ
zweiE3xzV}_bwdcj->r+^HOzG}lHE~Q?<;0=Xu?4e0faob(YCAH>4V&yyuFZ`X#qo}
zPd&3e7D`gPw&S!1ST7VB;~N5#%1xt`$kq4(ZVXlts~^M9=cLHw(cIBc7BD>$Rt;(w
z=Y)ZoXbmbwdvBZ#nxeQ{x0bbzh-^t{?0n8l#=&V>x$j&B`=1bp_SL-5-2^IPgL-e{
zC}u!~T&6@y=MmYw7K-WAa(sf|dx1=P;$4Xp4MM6YUWYM3aY7#SB91Aw{-OYc3$r!&
zLRcq2$p_rtb7IhaW+02syp^i+cFW8+Cs%Tt+&7#VTT;&KvQb}6bhxY=^dff!Q8_01
z=~8E%MQ%wY`E;qEUrhw?A7hEY0Bf|tm^@J3XDz3^pEnDYrm{8-cUBi~X5EgWt(QD#
z_mXYUnPGszw5F6U8F`AD*kUOJ8;?pKoGBrUZ_}pqi8M2zumZJ_cTTQf1{E89EQ$xd
z-VYH`Ko#q=^bshmqVkP-5PmEcGtbSE93v+auy_}5{#p>_aiy?7ygcHV^OJ<qqfY?k
z2~W&gBAOv$W*l5gQ(bgQCGQLYy7^#F3Wr!r!8`~!PB!7rHCf4Va<aDgr4*5SgVSg`
zbtpX&crs`;`b9#c5@ww&za$<jt#h2nHVkYSqJ?e7FYHx%5CusI0>S&(bHT8{U#N+r
zJt0SUA5@Bzq43cZHS9JN>sNwU-ijar6gbXIV}O}Wyc-@+zg(?IQeK6ceUqbUJU^Hz
z3D(nf`g|YK!hmvojN-(r`AFHwLwW5YoSkE$EGsa8@QF;&LU}t93yp;t#Xwwd5lCQX
ze-j9;-S>zeNvd~lck0vxSMt4as~Tw58STc|E64~I%lgYX2~)eEhb4|?Ne5b&_5gtk
z^%<`sLS!R|2yPAtW_3e&srNheI?cHSII17#Tu5e05nvD@gNWGzZS+e<zfc8nWV}V@
zkpaK51_l}PHTjH~2*Z9YCfDm$omWUpTj*+M5_(V2Yy#*U7s$O$X=HHf)oYz-!TFH)
z#qOViluyDbR$Zb3Pz(Z+!Jz53Pg37pL->9~Qt!xI)z+4B?+E8M6*%AK3Z%giGH61(
zV3z1L3c-`(3PPtsaM(f!P5vN0_bLGsJpoDI)2sAh8lxl$B-`_E_*5Ab(ZtIV_Y*h{
z?MR=4BSS+&XI6rV=n)SFaIksy(4{{LwXca$yb>hqtWV=CY$CRnVL`q01d9sG>wi3w
zQI0df%1JCcp$LvvYB-RF_pBLhqz*833lBvX#uD3is0~{hz6^=%c9wC6Kx%wTlv|)5
zgSk!!GlQlCnjRm#E{N-|-(%A+sa|Z-ZM}it(0|aKg6IiJ5T>Xkz9hMCee`fV^NH7T
z>28%wd6Q^{!(kIsbc3?{V*`s56;j{ZVffX6g;m)SLD+N}ZBi8y2?`<`uSJZbwDPf@
z@ExXmwC{kYngN1G!>moz6*}Kxu-fl|pzZ=AI7)bP%&&qxdb3Hpd?cE9()k`KOPibu
z(8z4IeFMB>H3DPBY`IVH(bQ71Yq&?X7NpujV@OzE2oEzjd_WpSFyb&5)B+ut%;`1w
zf>PuT*=iE-I}A>oSkQxpWuOR7v)bgFcY`oi?YYIUK4y9c!TjBiAA6phQBjX2{$HJR
zn5iB}yRd=Si&vUwd}X@A+<m#R!rZ-cixh=BTR`&b>m34G<nOS|6=r>Byx4HqfAJ_<
zo3qu%DR6I$tw4?VcUW)(<@e(A+h~%Go#2d-x}1VKZFLl(-D@9t3-ce6%`m8KS_!Y}
zE4fM*^_J2ps*q-^%@k+#di|QB0^mtbQmvq1ZqyaJDOnFdj8W(iNO?cb4-2OyrdgD^
zthoNQ*HyjwQ0waf+ffg;^NNyEH3>EwuF8l5lZ!QmJ4in*bb)MTe0pk-uxx4zPTrTW
z{KGE-xPYZ)G1aQ)bC%NY$*T?W{ft&m(++VEON&7}+sy8abz+YA;jWGtqozf7<}7VL
zsz|G01-~F{5n1d*77UfmdGY&iBp~SHLo!6=Gn}wm<fF|!IW|4hUOh2N8GcwJreuOr
z#T<U`Z%Di93KTjdNsS0<9a5zx3L>`Ek)KJi^J<H`qL17YHEZOKV4@%K#|rSH*Lw3P
zyG&;0j?bngZ_1hc_&PZwj)%7d|JA%=sxKraK7%r9M`ct6&Uhw!jB;T+oACp+>nbET
zwW@LZCkS2tNxpdmzZXc8Uo$;m7U?5+eT_r-8N}^6<**GKlF}w_f6kj#0%BoYj3#>L
zUN%fNSCRZq6sz9i#nam!Sp5<ExvFJ1VSx`iVrgUUER4}mZcFwW-h7=j==<)w`e_ei
zuLFO`JzmLN#~K@|*WlyX#m^D!?_b%1NqM7Ai?n3?l6}olZ~1M3)x<Ns20?or#F`&T
z2z~~Ii6RBmvN56hs>+Bmejv?4)(xDpHU7twajDX3yEYpsd-|2982jY-$tzCZ==I_0
zi1(bwsGK{uORICrv1zCckE{BV)6!=Q<LunFJ8(2xiRhQJ2IRh*MT<-AhqZV{9#pCg
zxhND}$45JS#{1&0J_ybFsXCR*_|J{&ku!_*v&3gBEa|5>$CiXjCLoW8+<;9^LHnae
zSU4p)7xgl=i1AsA+%9FGx?kQh4c1I;=KDH5*k8RrVY6zMeKvQhj`(uPMypBH6dr)I
z+^P3bI`;BlS3#HLo$z(yO99=2OK)s#yowlEP>x9yZPUHVmq(n;YHl3V-cEF0N*UkY
z^ir^k*GBW>o6PPPol8)}1mQZ~@3My5gNf%0dsXWQ&aU+kpQB&S<~%DA1Wtp}zwcI=
z;v`7m)4sj;biPsHzX?*s_o}EBP9(Xckg7)Z;TDrWoRQ*3N327)FsCVuJsN~-zab-0
z-(*KIxxKS~tlJ-)Y7c+uL?245KFX?~H0DOgc68?^x3SKOawGv|BMY+JWZO{Pvf8vs
z+@7vOdL$<NY}N^4;Wlh}Scll!cH#8OHb`X*cYIu%sqO=W<`l}rOoO8x?%M0STqkq9
zCjfduDzTgFHAZtw@~z2_^f(P>s+GZHxjXiWt3QXDG7cs-1VXg0csGuW9*C8dzYdEY
zcPa#CFUaPSlxcu8e`aK;_(^<u-b2b~ZBSp~GPo7SSx${^TyU@awg=Qh=T~u6DC<PM
z4^ZH)?Uo&4;D)0_jHotN=wQ<B#E^@_#lc#!=g1q5_yXI#X=jXF)PDaZi4%==H06$0
z-9fslu0fDV%P!^8*Dbkb;!r4aPqbL{XVADs6(siIt8fD&-m-S<gnLLcN~K$~{KjX4
zi>;QNJYuiea5<wHmf1!XttT-}O`DhPTu7`IBa}d6ixw;t7XJo`bU+QlY$0N1u<Q?!
zKe@z^DQ!L|Fa$=Y2}-W9T?YyZY8%q2n+@v4yBIlamL(nlJb$KPqqQ*=cWp%(XzzVK
zzZ?29LXKZ}jC|EAyZwHBHZm8OZxZ|Wb?;^3$KOi)E#{8^c-@5B(?P}{*+hqhmhhfE
z>KME~o@Sk<ncMgIvg$^IR<5u<EZ1VV8q*Yl-)hI@uvve%!91g31TDpU+ZpHVdA8M+
z)W!~nq<!aay!4vWs9b&jnQ7go>_FpiqHS~}&KlCg7>S<XnWm|xv&x6dpz@;0X}R_^
zInkV*-5sm+Y;;w4+Zar~ZM+(A)J=}pC7PqPp8%NcddL6I6CVN}i_tis$Abo`^CpAf
z*s?ahd6z;#fOf2nGroFIjqLVdRET068U)4`12XN+3X!nwhZOj-7P8wxHPZW2LcyZu
z@QG$ODhJR(fs|b~I8eILS3w+}K324MqF)DLTk=c22oiCK{TCSc<{UnU4ldsG<~q@<
zG~jhc1s?40WB=g)Rx+K#DZPIY9i`vT)wI)8zk%Di{p*NaA5THQ+QHUsNGSHA#Q)6(
z(Igc4nOYzLj55r^xyI06yBa_Gd7Ap7PTeh)$q7hq46?&1=5T7)y)J4QJ(ju2;g?rr
z*65<2d><T*|4u}w*o*!ko(Hy!Lp6vtnuHNs!HS^kS?8d@Pl?N)F3pa2XK&|?-O&n)
zv|)1E@LpzvBUI?!>HXbP{Y~4$GN2Zq-@HgMrWUu9oSS=!`_%hEF`JeX3L`Eq!=~j3
z`za+z7u3J{b2b3zKapGKXgtf=Y${W3YWdYnxHy4itQM=hLnrC?{ER5kVs0nssB7@e
z4Jua|M7ZDPQDlDYz8EX?`S<AD1oo}R&Efe`s`j0Q=uG%%%#bXCerm(>{j7`E(sm~=
zT}ENg2REC0lKi%_G~)z%0}g&HeW-(gnoOHlK0fi`PaM=%M@G__44lh^FQEanUVghv
zrvFXl5C?A{|KG~*w<ry$NQg=_E6M*Bf&u{l>OudXc7&RYMg(b&!GQSFVW9l)LN{G9
z8ZP8EnjOjzLKPzp6cB}2#fU>aK#F51i2wgg(f<ko05_1G7ztpMKBP~N7Lp!|0nv*k
z0-~G!8xlhjVtIfQR*<1sMc}YC1T#($q8CpDoU(=3#QobFPXwK14}ko(CHya%xi})A
zv?Js)P7Ijm4PlFC`bSP8;E*rGGoBU_6GsGH;|GAm`w~KC;+dfSLSExpNd8MuC;))%
zU*#d@{|gF09te?45P`abgd~UnH^7kI1TmoK*W^S+pmaoXA|50$90}r-$OQZx`JYiu
MA`zTM^nVomA6p9IUH||9

delta 11831
zcmYLvb99}-`gLsEHcxCDjcwaTlM~w~II)e!ZIgx#8{4)TTVL<}eQVwM<5_#=ooBe$
zJZs+Bt))<t#ZZj_@US@Uz1$ZdAUp|h&1H`lBZz$(s1^zFS|&d~(TovDX{f;`(+tSt
zKEZ=SF(_fBN~=oqI;U6$UaEE5Y_P36K}XN0%<p7pbCuR6pViD4AmXPlh>#i^bjY42
z9JHF;-ECcJQcv?xy65kuEtFOEU=#z-Ki}pS;;t(REmesi=1VH^HF%5d<LZDExOiE0
zlsxC-gx?xrK<vshZegD47*w^ht*m2w%*u{I;TSibfaR|$Tv#nm`l$vk;{1$FFfS!V
ziOa>>D*|q~hpJ;kBYF!E0|}X0-K|9(I@UY)B{n2eif)04!p;*rN593I%^H3A`W8pE
zaVPk(o!HnRSJzWSugUf4Bwc}$jiQNt{_+i@qg>ho>n*z<Li*2vET0fjb>y;A6!kjH
zlrWe1cAEvc^^e~UTWQdVPaJ;Oi|#2}*UYzJA!qMvrTwb(?X_aQu?c0*?MusSbo5QR
zII{t=A7R2ndyr?OT@fj9TD8GcJ6C^J)ft?d_lXazg5TQ8^29GfB6@+O1nzjd*#zeL
zc1k7>cieeziU*YkPRc}dbiSz39XMD_?r9LLXzdh3#!*U~qxy7o%rDaPxTA~(Bq!K~
zc)x*a43k<R$_Rg=o(`YaARvKcf3^72jKYu3p5Qp$qYEk7Q-aKvGcR~x$OPsD_b79^
zD<pQGHYqqtTF;1G%wB=AR>dO(bP}uXEWXDuGrDe3ujWHn8hC5z%*O?PC4*JlU9JPZ
zhu66&+(IYnI=<RgJ?EN#f7BMJ%UOe_Wp>Ai=4`vCuJ>#|J&D5hQ=DgyhHccj_)9%u
zJu{cz`~A_e5WyHnd_^|YAc9G4KH$Z1+e=f-!}7PR`mkH{2qzrSosT0di4@&(N@0(}
zg)v($Z&eg&eO15K@IsCc=s>MAdoB|nQ50{$qfo3rc@=*lPOe+83rk+$U)6B9B%sm#
zfjkm}y|-`ucx>INJ(Q%Va@b1uvqp--$IAKS%aXORv5IDm1M?8pR3k-=utblqkPAk3
z*r9;BDRtN9PA3~M=;?r}Lwsk@6~DmSn#>phD@X~>Wkl9UQ?s_4t@&I$mEO^x+Db@j
zRDA@_qrS@0+xWL43Hse~TVk)bljZS{&#reGKcSyu@@WhH2l+%#{hQmPh&BuI_<_jq
z3bxiOcpM&s4i{BBviA{u-ir*E35~OXQyvxHL6IMNNo3-bCujmc_<KMJ-74et*0+7L
z*J+DRkFD6Y+Gk<4m}u_eG}ygcfBEqJ%QwW~CJ(FEhex!{&_`N<Telat!@ixPwbwPS
zsZE;4x#7F@-!m5!Nt0saiNiBlulvaxxQAkJULZG~c1|8&&XZ46&^9U#h%g?lr3_gO
z3TY1i{6vEQ0)ik6^npqNTuWL7U_@Oq-;+{pfd-;s!bTb%dTZ8dYla>72pV~ls-5xF
z7JM)H;l&NA!!klRVs9tjxO%ucH_ikDG8P%<(h-Ik<E*Ha%X742gTDfazNqaByE2*N
z%4Qx@kal!EKbg04Jq*^D-(g}9>6WxT=Gv$6H)ZB@E<0I4`(_RS9scfoGp2R1r2V!U
z?UkRxJ%K%;9WK~EZ_*DKE62K-iK)*_yrj@sT$g%xspoYmvUf*R@qBIGNQjsr7H83_
ze=CkGk&i#Qt>MUIcbM)PPKdX2-I3Z>isrt!=gV%zTI6rJ<46HD9DcuvFO&blpSF40
zgAlH7aZrl{EnGYTd{yjUNtICnyr}2}M@0IpoakuNzJwp?D_(jEm#mNybHv5Z1WAnA
zi5AWcN3&4hcHXgfWNRbQk!Z>2uqk;(R~EM5(DJn`ii>5e|7`Kzf8NclE5E`@GsA%e
zvL*N<5*O}hAjvPeAjq@*3dlfjZU{xu*tldvL_|!pjJmxCrd(8e-{BK$dyIZ>0|M^Z
zwV%CX>D)7$zH&}ZyIt0<1f@B&J*Z*D6M9iD+Zm9Om1A$4GB8(AmIHXMcKBwQ@}wHc
zw|oT!c?pO4S?$b(fCxzuA{J-AW`cayJq4lc91t;lNkh}X8fhBJY}UQ=25<uf5^-lW
z5QD6c7OK6#lWGNg#83-En1SM$yAG<G0*EGhz*lGHAra_Ziv2&Ky@9O@knUAsgL~KD
z=CNplJCqn`=r_*|HI839Lau!l(~=fL0Hs?lNAaFdOZKl`b}IChCk6Q-dv3o&9WLI{
zAs{|KA^v0X@-AG~+wo*f2d|)Mq!e#=`cc*5M}dBKcu}q)ANHC9Kf5m0OcMtJ2D)^k
z2i_bUSV%QC1@{FE)5*7j-(T+K0-mpLPOe|Se{KYQK8vnzb-iETysq7SE9|#<DJ;C)
zd*3(%ZUujRy%_s`+0*p~&NiL;TnS#@*m}o($yzG>xb=N`d3d>hJQ>bK-*~SaUh-@-
zodnJtLd;EVRTO?a+uuH2PpKx8n{r+6OEbjw#p+>=#x~H13e98<;M2F$x_epZVoj->
zEA8$N6w?ev`u*q${7j6Dj`ls=E1T`q0<lGE*?wt%t)V*_vq9aG`!P_c9q2(7<0M6@
z5E9c`2#M+313|S*28rqY5BsYk&(;I4fhCteDAt|@{(jGOn`xM~jx+BV_#G`pt2>!x
zyfhfwm?cCSlWO>-w~8}KdV+vRA=pyROp6Gq)V>AqZjjqWH`%W>m>ssB#(gx_5Wgp#
zvPJ-r+9@AW#T{Zd3qd6i3?rT4PV<M;%^<~lRyzCd4+?GL_9CSi^o51<uN&UxdBB*P
zS0ad189D(hErOU50q7VPu8?C<=op*vFr0q7einIcuzh?Ft@;0rhXMUWO)ibP0$Ez!
znB-(%T?~o}y_bvPrYs-Ns$Pj+b@e|TJfs6O6?mOBbd{QKy_X{0OXiF#l4#_V3FMqW
zp`qO75bEX-sd<8|@{|et!1;e3<`qGkSci?TfckJ<Zvj&uV|;qadDe<hh2CS0!x%;>
z>QO9D7+F3-aqfE+WUhn3a=OKG3nOq1zoxnK?ztnQXZLXjw@QS{D;SOrvUHZ;Vs=`-
z8G|%b-JT(VMW-^7k%`NgWhk;*k;^ytY_X-OaMbv8p8wrZ3R)gWKXodea4v@kHhGAh
z>IIAA$a#rEVQW#wl?tiYEHWE@GgPrT#i|x^%d9GHLsZfY)TWY?{8mdmz`+2yPt|8<
zAiZbS(GS@=w-F6>F;1vw(`vH6D@#00Qr$3@xF}u~2ps~`wO0(Q2y<c~mv90z@vf33
z)WJ0xW}DZxh)4)z^3w3N8do!>Z$^4)F!&wWp$j3uJW7hrss=T3i`d~ehX~HEvy&qj
zzm0{e&IdtfJky*#gNr*<_KCE{qSW|MArOVuvWs+e8PsXUD&Wo_Y|9QI#o^a-M=;bs
zDd3s3Ih9&xBoX#0ThCRz(aq6}Gec(1^YIuUt%5K)GQR-Lpz2UYS4KoMDCT0JVz(<v
z?3kLj9P6rVroqL)W=0Y=2mB8^3MI;O%LU4O_FpD3&{#su)V-K$3=%Z>HGKxXg!+U#
zp~A&>i*)l)xQOMo_u$IAWHoo+m3_tH5lg$3f?r#I51Imzw$blSKU>9PDGZ;@xW^dG
z+E1Zo%nX6dPYh`b2gt21`Ma`F#J6sjjBTehisd6-Rjz8AUmrCtg<;KD3Qv_w_!k9v
zmeFvAn-LGGlNY%L)SFbZ^}nms+=H_N5G5w1#t!$5e>lPvguGly*@a+<cOQqcoBfmy
z*Z;D)EwNqaJYxuj+X-5!5zz4VjXTQP<XgtL^*#U|wq^(gQ^`7dSXf;v_v$I2B|Kwr
zXRg-vg3%@1TiyRCrz)Q|+EnByU(1qPbT?F_8bWjA$fK%-&9G$0H0f@0gGZ%5V)Il(
z`bx6v37J3&WW5|xSymkk`ef=9)FtK%@tbq5))_!5S>%|1?A#lj_t5Ce&d)>#WVU@D
zumfJFWP5Ykdy3gq6e#oMV9cz!Eg=}(cM<JjFfgP;cw`V6A&`u#r2A21#kx#*85A}5
zv}wDBo=T=7&!{EIT@DyC*v{t?QY3LA5@c2PMHMwUjfM+2GOD;c+1_ZPI7}r8s2Ee<
zP#B<D`{Vy560kH;uj4`_SgP6qKqr=~U;+UqB2RjOJaHa*_hFSv1K{iq*?qBAC&kT>
zPTA=)#}%FdxPL@n2!}_~5t%j%P>F}rERC_LXBSW<WU7T%Sm%(s*T{Q|&a}Gu2y`vy
z2k0CuWaAVs={|-MfDnf?JV|!X4}4#h6IlI%m(5*sHTLYI<^OF~#lA>~BTO_j@K=Cc
z$gJ>K^VK6QI#jkIH&`1T&Hr9Jv@SreNb$Z={9Zd5B?hnfmy&OB-t}qmWEp}@bdGfI
zQx3eP{yjv3HhQlfC#$l0oZ&yKUHVt{(!9Ij>#r}=7I$AXp+O-{T2MpD=<MY9byG0s
zZ2=+tnF_siCc@*F5-QpHj$RnR`r+|;9;(aYgEEIB(vJB3aS5GB$Xy0dh<j?U&a`JL
zcP5)}?+<x5)0ZLMVMgg$XpHRYc<FAb-xf>$=$AwSo@#O=|E-?*l|_{XoGiEt$jsQ`
zw)HmPYFRv%*wVMEXqZXtmO4uO?zlf5zKVt+mkpEPxNrGW7C_$i8)z>YARS3Cx}s@=
zl-LS2rEE;yOhUwTHEHO%gpedB-;IuOB;mmdxkvP@*MK=be1lMjd;u~O<v9L1ic&9w
z^zgtgb;(q3f|x~4vf+1C96n_DN@G^?P%MS~k3IQBPVgk-X`|53Vem(yPJM>pUDkRy
zqT7U1!PM*NW@dk6;N{AG0%_s-sWO$UlAD=uZg0*qSP?)Oq>dcE62CfL*D`7{Z&T5|
zpLzl~uz7#&f?Fzv{%%&<{-5@5oNi`}=yOtu&;j5qKb#Q<VPCSae2<CJg$$}QO75>v
zb3A_Ny%C8S{?miZ=@e<q2cbrcMB}_waF>v-6L{UUYE3|i6@jIHXC;n5I_lPd7wRT7
zppTD%-=Rn?Or8yg#Hq0&7OtiITVHUmVT)q_d-S%DRw?8R2y&)TYGO$n1;H#V|H&Z~
zOXBn=R;ddahtDoDB~KiNh7h~dlImCMsvHfG6%1BIo*x*V=Nc15u7XkjIr$i26Y7Kb
z!5uOXD?my`q%zl&e`F5QeYc^L@-B91rFwy5h639a!nBJcQUtC^CzRt5;HmR5B9$5A
zOmws)7|1e5oX&IoNv(0seIb62c@`Yaq==ltmR!B~=Rx`GNk0JAa8ZB}nGKE**Lm8B
zkiOB3`r{!fHawyxQtskK8*sd7%qW;&1pJ5qQl0oeMf|STK((cG1H2ohP>lUsA&)<*
zQZOQ)yoWQVim6;P%}Nrle-+h}zq$CUrqmrEQfyTa)gh87n+ikj3&^xA@~H|;cN8E5
zOa}i8B-O;|GI!HQof>X%=G3Z35UC}Sh!na=vU5cF6<rH_#1Q@xkdHmuO1$t)$Vm4<
zD=sbFIFz`|yb=&nyDDTWuH7+l5ljm6f|=U3SwJu>#S~*sTX0k^^q1oUDS9pjPAy$U
z)VNw8L`mf>{L2c8c-QD&Xu1NbyC@&Pln87IeY@V9M+D~J^0s&Jq6s+u4EhNTUBs0^
zR0Q+eUmq>BZn?CNB^DtK#=nB_WJ^Pu-@3}^@-8wksz$?k6jT+w#%)?|>U28%1tL;q
zD&_mXc+o}^qh1^{V||N|Qtv|`Z{zhxts10kKR(@ac6WWFOY?~i!XxIRZ<pOgD5eRZ
zl)|vi)%^ONR1@%S?Ac_z5I^UvFJ_pvv!K4s4xBy*c@c{P3&=&z@N;kH4sRA_MtuUi
z{hxOShm*+*`3iGBr1V|!3;(=4H#?bf7f$L{#{czbGIGM7@VPE_a`_mHH=0z{&AOvo
zik)>3U`Z-0bed9erTlIJqYJWS0@X;DP(W4gm#VJ9=*OS(-b~poz_6x}V>p{|505R_
zbRP5G?Va)iS#sybt_O{eXJy8qK>N-O^01YRPb~7pXAZb6y29g<OW4OZfazz7++uR!
z`?}jQ!4;6E55>{zkefb><GS%%+$hG6_;kyOP%-{ErahW4JQ7A4W-;;ruD)bTe(B>j
zGOH6sB?ChRhwY?a*Etb@&A7=s9Uk9n-ENg?l_W5b3+^egvIvX5_A1nYPT9hO_roWQ
z+}0i8O~<gI40E1mFwLSn#kH$)2zR2+<zo8I_c{>Is@&;|EHh3$w&h0*5>K6a%P+h)
zvNw|Q&o&Kr0`yl1&<)NXy9+By?K-JNw=ebf$UL)N&bC5J%{y!khBE5cc?tt0(+(wa
zX@hY<s$ko^F#!ZoV(-6nRqim!vKQK>(sN2obyAx?6XIXc-#T>LorUNFe_}i8xRZjh
zBZ@dRMw#QN6z_6KxIm(TnYQZj_I1~YWQnV|`Y5inO?Zj=F(%Zf?;#Q7d898of%V@k
z-iN!LI&?Qq&wuG>k@MCbT;{giisfaRzn<0ru|HL!wql8Zhc6t#@8#56dAB{+bWia?
z7{89D2)l<q-S3z0cc1q8{2QKL)<@mUMm?sSO7dW$!p$=C4oIvgzm}7NI@)h5dGoD5
z5GymsZqhbQS_$00ZEdo`4vm8aaA~tsV}@WUq)-{-p?0bQkB*2_z-Zr^a>(<wb)PnY
z#;pW{ci#pdth}4b3wb*=b+j{7P(r2G<*T`Ef^iX=GUx`=Ba&}J^Cp=-%ya-JJe&7*
z_u-|*k5%Hy90x|2^JDFVR%0)l*{->tuM~clXoa7FB1=;TVn+fLOOAgshPB2GN+uMQ
z?U<QjEiD&Bx^$G~NW?HiYBGO2Y~a=aGdEstzP>(sx2&_Y3)O`&8#ghfRda)5(!l%L
z`3kbM4$cIM<prud^CzgEUjghLgM#X<pFIp=)z$=^@p7ceGP!*MSVK)(i@D=LN%nZv
zd6O_7W^mjRr$*5w$Hb>`@R9a%oc3iE5>G=)h7q>sE+L6HxU&-2W8!rY@aK9!eZ>x+
zA+F0-&D%!xZa&Chz;$-74hjlL04<=j&nUfp9%odZpolG8-Q&vF+_8~of=P7~(Je8Z
zTIPb2gB|5XeOJ4{HS;Eu%^zt4l8_j#yf;pWUH(KR>;#1sL*Nj6oalW1-C5$_(y*g%
zg*^l`bX39$7>4J_j*36l;EVthx0>T-%B-4sTtwH@`uJ8JaJrYk#o8L-+ilRzs7A@F
zHf0{h>~MpfC1Wn_?r?<IvYA9`YaLiP7OgO3dIF5v<;%iK8Q*1ZH4zHAyKV+0P=BB`
z!mC%Ymc#p8iP9O2MY}3LJxE-AMEQ{>TwOe`r#d7_drCfOAbI0Dw!#776^fbeqI)S~
z!)l64JZuD}lr#hu%H9|gE;&x2wAjtN89n^x)j0^qPs&C^ED4?KvGphMN4->%HTJGc
z<g>cH!!);~&>6k#8etGnEm1T(0L}*Yi6;wW2%B5edEwT%TaQ2AT-vpvl=Z^fnC(_)
z0{;NMYzqTQK{Y>O4W59{mbr@h*El-kLYluI@E?L9nAr?Kmv9nw*c$iw9^pNIowt;6
z|AudOiM+|LzWx*%jzatE+%F)YMtQ}H0GKiZFirGvgeMhA-wyLygLnJt{3JvCN)1U=
zp*dXDoHs%&E!)HI>3`Y_ZK4&j#<==A1yVfWS=bb+2H&seTZRKOZP%^931JefLI(^q
zeifq3x}|@cQ*M<dzhp=7r<e<3KDg!{8n>NK>Bb-U4DVYDcOtmvpB4?{v}9VK*2Etc
zX@*SOo+h<?3>J1<tC5e;y`NY17_*CVuSq^v`rh3-=-a5tO>~84nb;pA!Rc-wr^lGp
z)RebO>fFvA>R1AWQuqw&NGUvNP}>tWxxplg(i%$!tV)-0oCggCRRUi}>!_PXW(r}u
z`}Xh4n4e}9r18do8T`=RMaM(FHALBJYd&+5s=s5^BKkq^B&#aJ*YWuK-(9Ajm`-^}
zk2zwP3c6Spq`{<tP<o+JZbu7Uh<Q5($>VJ#OZw?Itj-IZ<nHfv-=U@z2ZoI;L-R%>
zg`Muc<zOkB$+_XP))&9T@mV5DH8eEIdr0a#`VC~-bbnV_;y|yMxOHa_yC3)7R_{`G
z8~vgRmvqmN86RQ$M{(_f#d`bD029kSH^pgNbiWOSrc4)$4qSWj%etzf#6%b@F$oM~
z&m1je%kc*GxZqV1zbO5Dv-NcE*vqwYMGd!?C*mMOGz!~q&U0W*RE~n*E;Nn!q8Z#u
zht@Rp1SS0T#B~70^>Xe~<hiROF^?@Sr)+*lXd4s)Mib38BkZ1X?WqXOgg4+;x$bt%
z4C;LG9_Fidq^52Z6pd?!i2tLFH}1F|R=!;)A0P_s)!ef3q9!v=U9Bo^1(RKv5haL&
z>FXT~ExLN~*(<n~$d1dX98-uiOFa=Xdodg-l9Z{7TiQ^Fsa(!Q{5dkDZy19OejMW)
zz6g5-58Uvx^R-x3Mj7jKeHCrR+lN8N@PM?asu}*<2m9f(nWLde%B^@M7rpG27jJ?K
zh9w0RQ!@fZ%IPciG(-p0J4>itlcw5Tb<ZxMPVY|>OxT;QqMLg5%F0O`SSG4{M$Ea9
zypVY55NbGRo(5GW;`dX9g4(QP2j5!Teiyg}Wh7v@g~;q)G3$p_;J48OytS7W33m>C
z(Mwwbpdb4{Zr#+TM>k@b__?#6^-enYZmoQXYacc}1+MtE@v1-i8x1xSe_->@qqV3Z
z>g8Xt&75JGc#P53hDrVzKjP`Zy{`PBFwTv4h85)l`vJ3roTxOC6t&pzlB&Y(V0%*S
zz1<fEVRnRgu2AC5fXW+oM%At%_#;rc(cRJw`x(?oLj(LKKaBa2%Zp~D6{-tJa%_;5
z(hu9pj(JmAwIq;roD&`;4je>1uOvV)^DBt&OK~Lt2lv^3FA5m&N2W!Bs(PP9GDY5(
z3~}=LVZ?PPLzcCZ(|R{UYna>nw|c}rR|npN`Jyj145Ucin2z;8u9x6mC1+&l4u`2L
zA(b{UB?$~>-h@v}+41^?&?a2rYyECMlOdLM=oRR}*A^t-zpy}X<bKlIgyUHyV$>1a
z(9c8c)P9NhkiJw6jX3fR>`v^cFSx#B;Kc4*Wjx5jX38k3Q|h|Si}b7|l%}nd($}ZN
z_03<7`JApEorb(eGI)+9ch5s7QwSTAQQfjW<_zd6naJ04dhH|EkHpF4G|hzBoOe03
zyQp0OJv#U;#PqRO5PQom1CwbHhZ=$F+~P};Ib%{r&IlbcASrNYl=TOEP7Hy$)Y-bY
z6T!Enog1QKdkGc^HW^oc+t)LZ!8;3Ch`A9pdi9X#5GBh|ViXr!f@5!Xg1Ebm>n^Yf
zzp(l6b(j6(aQwmH%0f^k^~2Y523=p}2H<AHq-mlUrSIy3Pp9DP&1o5Tkbd$vwXWX|
zunu1DP+3I7k3qWa_(xMZXRwmNJikpz^TQP-Je?~APKK0H*hL!_dz@4hSAsvqK%vOE
zEn{@tWJtkqe_dv=At0DEK!`H`p7}i1Mlgd^wLi=i*_&#WM}3;JoSZ5d)SI=LM-v#=
z+H(K=#vn-33x&Xgmapih+e%{}J1OWRrHD2dRM0j##|r&<-=+Gvy<pl?C*@wNK{_yV
z7LFf1g&q<2YZ<-d;4D0O$+q+oJz~;oe+-Z`e-@rN3l9vseckGs6~rbW2A(Xz*Rm)D
z^9#;yD%O{aCSc?4j8dsAasDnmxsj)@PU|*d%&7lenl)7j3~bGm@S^y|pWM6zzZLX)
zBfhVG<=CJy&d&aMx4S*TO!~_|ql?gyl%=#Sj+5gS(CO##{BTlRdOlH09Z-Bbn_*P@
zuor6pqn@&pUUGSTPj`YM037wk`<9$^OEDf+B~<({OHoX?maKx0d|-WHx&^n=`IXHf
zS^&9!vSjbI3Eju4uS;=I24kbOQXrW#qalNQL^&4SeO=$SBn_|`GuEqQNy^R{T3S0Y
z?6n=kkGQuEzfvmGIIg+!{oS(!yI>tnt*omQTPS;0GOBn)N6|=S5~vcPLwMXiKNT_A
zm5~zgT7Y#9h<V%Qz49cq@CqRILkiExs+4Fi{$e{j1|T0$uVPoov$04Wa%?fei;wqX
z97;vu)8Dpt$FJlQOf^Yn!HAs1*LC-Kp`FhDd-d>k>LqOpkjou1-*#piBK;`oRNl%x
z-;Mp1Mf(k%I>Xy)6*w;NQsk9aSwQp!>gV|%%9dO*nWmw>!SPw+5URabVeO|#`xSws
zd!}isojJ_!5mP0l*^#K2GgKxB*)&Da@d^2SZN$H0z-4DD72P3LctVJKv{q2#2DL1-
zncF;sD}B)8g6Gz<5@Dy{0P+TY_2E#;%GA7Qj7tJ0tV#?Qd7zVmC36LRqbAb@n0^f5
zb(SOH+<|p2DWIi|(0gKnr?tk+CJ@c3WLhtk32czaO2EeH2|cUq7K+1=D8(A)jm6Yl
z=@q8Yqj50k_;$(_&r=3Tr}-=*$KuQGVwx6K1AGU44T-`|;k$9GPu>@)$p3~88xKbD
z9!L5@%t7p!4;;iu%uM$O<8tcfpQ*j!9QB7^JwZNXM-nSbn?N=r5jL27r8C=K<V;hd
zg~BM7fgll1Nv#y8PmDC9fl>za{!U^@@)R2>K>YY-BU%uvP^18OGg%>>O3JtLPU-4I
zjm%Ku3eQmCeJo@XQWSe)BmBEYF){MeP!8W5Vyp`I4b;Sf45-0AfQ^UXEKVfnjj);e
zrMxFhsVT<(PSsQbzzi!CixeLrRu(FHqalq|-suU{8qxa=x3QLYT>e=(rf8Z^;9i_L
zyB3qWEUV+|IP)7<=|D-!TABw-2i7N0%qEB^&nCq@tB%k+YJx1;JQ|8j`<)^za=F)B
zLjG89AE<X@m91z>c#6!x@{V8|av{E2Fmpzwk;3eO;l@Rb$9GSwi3wYA$2CeGiJvlj
z;{~=#`T-#ZqHKvr2p~^AF6K`j7#;lCgyHK>_F|DF@OSXS!0{KVP^FnYW5<2^-$$WB
zHrtlrtOE1ypF=Q>{Ki1l>y2fpZP^(tdvKt<7I4UIaWs9d5qVfxPzt7}f{>Ydo4|#z
z;c=LCh;UvqiptLF%$mD$U8yaxBO_FavV|os|Bu98*tO%{PhuMfoEk%1q&MhqE3SR4
z>h5Or&^O?DuSTvpHJfzjw#Q&^ZkJE3UjY%UvR9=n%okZmona~ImUhLukq<PC-0NdS
z)j&1j-vy&I1+mr7`Ci^bD;BHQkq@|*L`Y(qY?N6e@TnS`L*_0eGHCjCUCZ%Olw1QJ
zd_$&}dQWP3>L?i0SEy8=NDI@c?KQ6yZz|la<kb9|>Z?rhKw~AhSTDaOd(D%Z_x-o?
zN=(u%1qQO{n!uRf>elD48Llw?WEs!1W<UeJ^Eyn;KO_Rpqljh0E5a)X=r!qoFcj+4
zl_nwo6!}v`+D9SLZAh8HkBJhnnn45J`7nl~&r7%VEt}Hl0v%r4gG8;uUjeV{m42dU
zF(=Y8L%9Kf?F1l2hSH6IhJd@Mb4y79riJ7mlGDA4LH;MzD4b<xPYM&5NaGR<Xdr1)
zp~*WpCn%rZatr><`1YrBrF#*6Kj|_F48>4c{XVNCl)E(xsU#rRu&dl|F_hoyLok%a
zACINiUnb8s+>=@-rwf-Em#&O`5dx86!UA$gzTc%$p<wK(lFc|a>X5%Mb-=8N`QotP
zp*R#;f!UQWI(8BpsaMb+=0HD+45$R56f;c|O^;>1MVbb~4tLzfC{E7mB7j;ZQDnx&
z?Bscn?j+19*vStofkW@(0}*X~h1$&E;Wk0FAb|$8X1#;fY|46Tb-TRCDW$&8p=qP)
zd80jY(z}gJQW*2Vg|Y1tBK-i%{rw4F9SKud4aPl)19~QSBDGPo-y9IL0z8L;;POmp
z!5C4Dq{5Z-Ao4$nD%M83*NkN;3imW2FKm@D=NGdztIcjk&n`y{1@4{P-8pdfW6CaH
zk6=2!D5kra>6=eO^_SrFiYvt*5m!OA_lTeO8ptWxmhu3~^X^@6A=b1L;-4oJ5Z`w0
zlFjM-@`utOJP5dE=yG16fg}@({(Lapob$ag^ur<DP<4caTZ5~pxqYGbZOOrVexfoI
z@?aX3<AFYr>cd@^kz$7Cvs4p^?L!<o6~z4J9gR_f{ff+lE(>E_S}Ls0n$__}L%I_<
zfPU^r<0}<oNlapZH8Ubg{(0qJ(n-XhN7XcY_kD=seV8|%LmPyGzzFEppVB0d>;b+(
zBKeR<&sDh2pwEFm?h)~9BENXRV9tWTQ`HDzV_umX<oMODYVW5tR!A9iOxd{A1QqxT
zPCv#U)Wq-plIk81l94392u8WH-bX1M9GtJ+4|Dtq6!;b3B1|B~3weE*saaJZP8h3_
zD-IXeT|3(oX<v~FuzB&Y5M;%_gyIxu1&J@MM;%@QPQMub+MqFwO43vgxf5CCQ;f1K
zO5HSrayo9UuCqt{lfW_se?$tg1<FVw8_A=$S>VSD=sLNj@__6m|M+PL%ZGd$Xm%zv
zx-D*phv*TXe*1CJzr6<0^~cCRmv_xw8J9@eDdf%vj_W1^C`qUPaD=rkj+oHw19$%g
zEWd+R4JSf(?{o&Lpva=&m?b?9j?KD*UhhP*Ty}N$;WNtJCWM##iTrpU=Rp`j5+Q?e
zIBg~&7q#Z5tp6|iYU}t8)1b2a$b&>)qUqeF$?EvJNzRajLTIfE?uql(I-y~f|6!f(
z*uSojiUolQY)sxhmaVhuFxf{5s`8eEB@HQU9F#}Fa4r5I917`D9C~y_ZP${~M2Gs8
zS9K5(^~pYXVu6Ky@#P+2rA|lsRLGAWhOTO>a^6|(o1aaH7@@ySaA~!KY+o0w==M$@
zhaw&WvW`|?$buss3f&v4xQnAuak>Q4Zs&*%`ynj~FhcVrw5*3LV$lbhC)r#?#=N$K
zz^i}fGG(BjEz$vz$gP^}zO+Fsd%$8ihN+Owk+y?*t;C|mNI?d6T7=rv(?b+{i=<ol
zD`c>S*B@BP;|y0Ml&atgdA|CLRz%=ViNjbm!l?0h5dCUHHrPOb&WI^5X+dlA55;~n
z0Jc)ZrXeFgH<n8+w+l7pic{lr4+XY@wrU{9wdwCXbNGov&Bs+HiG_j({X#GRpLD)c
z$d_<M2ZjBh1PiaYN_l=QW;P{5v1|mb!hZlm=~DO&O3-q7;~fw3<?vH7L`4ZsSS{wk
z=FS!Lta?WBh#9A!?=lGY62QGfS0Azy=hCBoyFrMuCj2p*rY;I(w$+iJ%CPhPk$6cT
zv%6{8!WG3tKOBG+=ufZpI;FNot7}6dq_pWMlKlzKDF&^tr$vqtRm}?x%_is&MH41O
zDMaWc;!78;4D_vdW54Q#e$j893`YGFvf7|tATxbKNr~tXL=LCiJna3gX~ptB(aTdC
zgb$&!3sqjf<dy?$E>mN6xSP^*RfrNmRCfT#t}M>H9p1EkaIrP5Mv1Acp%Cb}%GIJ*
zIFb4j_mM}~``)QXJ<658R=m}0K+GC~WzTFnx#uz0YFi%3Rn)LLp8V%&DnJ^z2MW89
zJR_$0h^;QdpBDGAXD-U`a#Z{FiINX7Nd&A&HX=N<I0wKliS16BMK)W@rOfF0?Ik-o
zsO9-aTkI7If}B0W+l&sxLc|Y&tMmbr!)>7YXc{4Sr>U;tlFGu}ATRIW-AQ<+4)Dv5
z>M=HmVa@n9-342rifQf`CvsX&qxzLn<Fe^2tWC;!8-0U%1Jmtf2WnCELUGqB(-x}=
z&Aeo5fIo0z0r=N@c)u)r4W9r&+9gvgNysD>A9TaJ(dV&-JDOR&9hGSKtb(z6q1>um
z%of?yM%2;PnXVi=jrW&P@6zI(oc?I3v^qz6RRoKzGd4%L=Uup4Q1IRD&OU%Pb9z?j
z=ZdCN`=lE8+h5W72%Mb_n*zA*1?Q#JOWVj!{Wc&mo2{MUkJ3MXKvR1yl_D90Lst&a
zn>n7}BWH|=EgCVge@<D}a>Kckn2|laKKyMlIzNix{}7Z&WRvUG_7SFp(oGMZuk|%z
zAaX!oZZM;xU30|MxtL-|81SX58My!crc{|)sY}>-A&Mi_p5s{)<uyU!)i65ot1!cz
zuE8DX#kSu#;F}XW@*TVbH(Kea`U1y#lx=SbAaW|4X~pT>jv_WIcJak=4&CZoh?~AV
zk)|*H@OtK`nK&A{>E{SsWra4o7vS*e`Qag>OTD4EO0GT<CQ|?6|23>q!U7$C&LNH6
zbq_+PYso3sbHSCH2b1VE?~?A?TZK5tqev0>1=Z0(@BsGbPCRo&`-rUZnBC~Dnw}xk
zq{>)5Ssb#N$U1)?ZSh~;=}X#)Uk^mMrQ-w<Gz9HFv?n!M7m_4AI%@Jpm3<*Z#2vVI
zKBeBQDTlM2GDG~W6uOg3($$zv{eKRt)QYv+_XZU@*s{)?;$G8VP#ziMn^ZU#v2R8g
z4fJ$3*v23iIqQZNsGQmDn*!GY!d&Jh@X6doTEwRW)i<^(E5>h<$wAv%jF5m9ByCto
zEc`VR>A(hr=~BepVA(8@w?ZNir4BD-6i82}6;i4NRTmNx(iDWQmk%X|4{FfEXWhFU
ze0#mbFFiuOoGKLydfj*|eU|JZc)uRJ&0>GQH1XSd-g5H3mlKEGd?WskFs>y_Um6WG
z=SK#5wq*s8`S*b)>{&}u0w6)(lh9hs96eD%Yqn&dYd_W&I=f0pP-8MI=)sSn<;7kP
zvIQlO5)$^6tqnJ?h4U*NB(N`O4uH``eT|-aS-mH17`k9XD;{WpsSz)}KJM4fle?TL
zvcU~Z2DREFGrJV{bGdE`Pn~`&^R6IA+2t8?H8JQ#;pOrAe7D(ZM}HQ|l+n<s9nv>y
zA*1g6w$-g4nzaoTj5=va5ze8c%&U0i*iL_wc8d_`q-|7&l-o;>4>XWrL=pOnD_l!@
z)69_hOGd*Wbr;(FudS?4$vi;wMaoVV3YCP|X+~q;g7T?66VQ6S5QX`(#tHRa^ujAG
zaH8HE>gd#x+tYl>JHCO)n&v(1)9>vUq3%Q?=`Sd&d&O`XDbz*gVE+nT;kTDWam@fU
zEC@*4pK7i+=h_c4ut3XX%S%E67T{2~r^N7lFm`!xB4*fix~K<Lk3!k0tW1Ei*sGNq
z@c1+5mR&Rf`N<+`3_N5^g<6^gvYFTSkW(=!NWEMbR$YVF$&%4Ol-!qT!<F3J7~OrJ
zGOx}3=&NU(DY$ztZ2BXUjXze;V5L6l;Xmj{S2YZ+9U+AOg0CPtKI7M!IeYCSKeMw>
z_d{1>3E$)s^1lK|r4+Olbl?Q?{}(~;#A*Da5qCT*@&5#o|3s1hq-y_5`=GD!GLTN7
z{(lw;gpeQ(btD2(Ob~}G1H~s$5dZIA3j_qt|GfU8BG6ER1XP(Gh}n!7)T@sKVoPL#
zVlw@gr3C^1!9z<>ZK5L7juq%JQ2->GOaygo15!@<_wgT`u>~b2NkdcGLx9X3aX`mO
zOwd7I5TGs}LJ(Ur1_+Qu1Xbb#GDxNc)!3tffJrD&?tY-$WNAo3&~`G*|IrbInSu)?
z7zkoW5rISn*`$a--G_k6Q^cV3!a>2Qcp$e3B+ytQ1_&>e2+Ab#zeVz?+)&oh{~!R)
JDfU0J`F}V6er*5%

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
new file mode 100644
index 0000000000..9177d7e15a
--- /dev/null
+++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
@@ -0,0 +1,72 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "topLevelManagementGroupPrefix": {
+            "type": "string",
+            "metadata": {
+                "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
+            }
+        },
+        "effect": {
+            "type": "string",
+            "allowedValues": [
+                "Deny",
+                "Audit",
+                "Disabled"
+            ],
+            "defaultValue": "Audit"
+        },
+        "enforcementMode": {
+            "type": "string",
+            "allowedValues": [
+                "Default",
+                "DoNotEnforce"
+            ],
+            "defaultValue": "Default"
+        },
+        "nonComplianceMessagePlaceholder": {
+            "type": "string",
+            "defaultValue": "{enforcementMode}"
+        }
+    },
+    "variables": {
+        "policyDefinitions": {
+            "auditRGL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Audit-ResourceRGLocation')]"
+        },
+        "policyAssignmentNames": {
+            "auditRGL": "Audit-ResourceRGLocation",
+            "description": "Resource Group and Resource locations should match.",
+            "displayName": "Resource Group and Resource locations should match"
+        },
+        "nonComplianceMessage": {
+            "message": "Resources {enforcementMode} be Zone Resilient.",
+            "Default": "must",
+            "DoNotEnforce": "should"
+        }
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Authorization/policyAssignments",
+            "apiVersion": "2022-06-01",
+            "name": "[variables('policyAssignmentNames').auditRGL]",
+            "properties": {
+                "description": "[variables('policyAssignmentNames').description]",
+                "displayName": "[variables('policyAssignmentNames').displayName]",
+                "policyDefinitionId": "[variables('policyDefinitions').auditRGL]",
+                "enforcementMode": "[parameters('enforcementMode')]",
+                "nonComplianceMessages": [
+                    {
+                        "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                    }
+                ],
+                "parameters": {
+                    "effect": {
+                        "value": "[parameters('effect')]"
+                    }
+                }
+            }
+        }
+    ],
+    "outputs": {}
+}
\ No newline at end of file
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json
new file mode 100644
index 0000000000..01aa3e1411
--- /dev/null
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json
@@ -0,0 +1,58 @@
+{
+    "name": "Audit-ResourceRGLocation",
+    "type": "Microsoft.Authorization/policyDefinitions",
+    "apiVersion": "2021-06-01",
+    "scope": null,    
+    "properties": {
+      "displayName": "Resource Group and Resource locations should match",
+      "description": "In order to improve resilience and reliability, you need to be aware of where resources are deployed. To aid this awareness, ensure that the location of the resource group matches the location of the resources it contains.",
+      "version": "1.0.0",
+      "metadata": {
+        "version": "1.0.0",
+        "category": "General",
+        "source": "https://github.com/Azure/Enterprise-Scale/",
+        "alzCloudEnvironments": [
+          "AzureCloud",
+          "AzureChinaCloud",
+          "AzureUSGovernment"
+        ]
+      },
+      "mode": "Indexed",
+      "parameters": {
+        "effect": {
+          "type": "String",
+          "metadata": {
+            "displayName": "Effect",
+            "description": "Deny, Audit or Disabled the execution of the Policy"
+          },
+          "allowedValues": [
+            "Deny",
+            "Audit",
+            "Disabled"
+          ],
+          "defaultValue": "Audit"
+        }
+      },
+      "policyRule": {
+        "if": {
+          "allOf": [
+            {
+              "field": "location",
+              "notEquals": "[resourceGroup().location]"
+            },
+            {
+              "field": "location",
+              "notEquals": "global"
+            },
+            {
+              "field": "type",
+              "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
+            }
+          ]
+        },
+        "then": {
+          "effect": "[parameters('effect')]"
+        }
+      }
+    }
+  }
\ No newline at end of file
diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep
index 29b9776eda..11a477c1ec 100644
--- a/src/templates/policies.bicep
+++ b/src/templates/policies.bicep
@@ -179,6 +179,7 @@ var loadPolicyDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment

From 6daea45792911bd40b24506d5b2946c70ed59b90 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 14 Dec 2023 20:20:16 +0400
Subject: [PATCH 2/8] FAQ Update

---
 docs/wiki/ALZ-Policies-FAQ.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/wiki/ALZ-Policies-FAQ.md b/docs/wiki/ALZ-Policies-FAQ.md
index 68fa677fb1..364b25bfb1 100644
--- a/docs/wiki/ALZ-Policies-FAQ.md
+++ b/docs/wiki/ALZ-Policies-FAQ.md
@@ -4,7 +4,7 @@
 
 There is a lot of change happening for policies in Azure, and by extension ALZ, and we have a number of common issues being raised by our customers and partners. This page is intended to address those issues.
 
-### Diagnostic Settings v2 (May 2023)
+### Diagnostic Settings v2 (December 2023)
 
 There are several issues raised around Diagnostic Settings, and we acknowledge that this is a complex area that is causing a lot of pain.
 
@@ -14,6 +14,8 @@ Check back here for updates, and be sure to bookmark [What's New](https://aka.ms
 
 To view the current list of GitHub issues related to diagnostic settings, please see [this link](https://github.com/Azure/Enterprise-Scale/labels/Area:%20Diagnostic%20Settings).
 
+> **UPDATE** New built-in Diagnostic Settings policies and initiatives will be landing in early CY2024. As a heads-up we will begin deprecating all our custom diagnostic settings policies, and changing our default assignment to leverage the associated built-in initiative for Log Analytics (as the target) - additional options will include targeting Event Hubs or Storage accounts.
+
 ### Azure Monitor Agent (May 2023)
 
 Similarly, as Microsoft Monitor Agent (MMA) is on a deprecation path, Azure Monitor Agent (AMA) is the recommended replacement and there are a number of requests to support AMA specific policies. AMA is currently in preview, and we are working with the product group to ensure that the policies are updated as soon as possible. Some policies are ready, however, the initiative to activate all components is still being worked on.

From 4616d64afeda6008bc892ca11940ce9a139654cb Mon Sep 17 00:00:00 2001
From: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 14 Dec 2023 16:20:47 +0000
Subject: [PATCH 3/8] Auto-update Portal experience [Springstone/a9ba97c9]

---
 .../policyDefinitions/policies.json           | 134 +++++++++---------
 1 file changed, 68 insertions(+), 66 deletions(-)

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
index 80131eb428..01a264354a 100644
--- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
+++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.23.1.45101",
-      "templateHash": "10333627625984546269"
+      "templateHash": "5249879299117061376"
     }
   },
   "parameters": {
@@ -131,61 +131,62 @@
     "$fxv#109": "{\n    \"name\": \"DenyAction-DiagnosticLogs\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"displayName\": \"DenyAction implementation on Diagnostic Logs.\",\n        \"description\": \"DenyAction implementation on Diagnostic Logs.\",\n        \"metadata\": {\n            \"deprecated\": false,\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyRule\": {\n            \"if\": {\n                \"field\": \"type\",\n                \"equals\": \"Microsoft.Insights/diagnosticSettings\"\n            },\n            \"then\": {\n                \"effect\": \"denyAction\",\n                \"details\": {\n                    \"actionNames\": [\n                        \"delete\"\n                    ]\n                }\n            }\n        }\n    }\n}",
     "$fxv#11": "{\n  \"name\": \"Deny-AppServiceFunctionApp-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Function App should only be accessible over HTTPS\",\n    \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"App Service\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Web/sites\"\n          },\n          {\n            \"field\": \"kind\",\n            \"like\": \"functionapp*\"\n          },\n          {\n            \"field\": \"Microsoft.Web/sites/httpsOnly\",\n            \"equals\": \"false\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#110": "{\n    \"name\": \"DenyAction-ActivityLogs\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"displayName\": \"DenyAction implementation on Activity Logs\",\n        \"description\": \"This is a DenyAction implementation policy on Activity Logs.\",\n        \"metadata\": {\n            \"deprecated\": false,            \n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyRule\": {\n            \"if\": {\n                \"field\": \"type\",\n                \"equals\": \"Microsoft.Resources/subscriptions/providers/diagnosticSettings\"\n            },\n            \"then\": {\n                \"effect\": \"denyAction\",\n                \"details\": {\n                    \"actionNames\": [\n                        \"delete\"\n                    ]\n                }\n            }\n        }\n    }\n}",
-    "$fxv#111": "{\n  \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n    \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n            \"equals\": \"Approved\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n                \"notEquals\": \"[[subscription().subscriptionId]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#112": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#113": "{\n  \"name\": \"Deny-Databricks-NoPublicIp\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public IPs for Databricks cluster\",\n    \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n            \"notEquals\": true\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#114": "{\n  \"name\": \"Deny-Databricks-Sku\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny non-premium Databricks sku\",\n    \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n            \"notEquals\": \"premium\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
-    "$fxv#115": "{\n  \"name\": \"Deny-Databricks-VirtualNetwork\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n    \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n                \"exists\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#116": "{\n  \"name\": \"Deny-MachineLearning-Aks\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n    \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AKS\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#117": "{\n  \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#118": "{\n  \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"allowedVmSizes\": {\n        \"type\": \"Array\",\n        \"metadata\": {\n          \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n          \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n        },\n        \"defaultValue\": [\n          \"Standard_D1_v2\",\n          \"Standard_D2_v2\",\n          \"Standard_D3_v2\",\n          \"Standard_D4_v2\",\n          \"Standard_D11_v2\",\n          \"Standard_D12_v2\",\n          \"Standard_D13_v2\",\n          \"Standard_D14_v2\",\n          \"Standard_DS1_v2\",\n          \"Standard_DS2_v2\",\n          \"Standard_DS3_v2\",\n          \"Standard_DS4_v2\",\n          \"Standard_DS5_v2\",\n          \"Standard_DS11_v2\",\n          \"Standard_DS12_v2\",\n          \"Standard_DS13_v2\",\n          \"Standard_DS14_v2\",\n          \"Standard_M8-2ms\",\n          \"Standard_M8-4ms\",\n          \"Standard_M8ms\",\n          \"Standard_M16-4ms\",\n          \"Standard_M16-8ms\",\n          \"Standard_M16ms\",\n          \"Standard_M32-8ms\",\n          \"Standard_M32-16ms\",\n          \"Standard_M32ls\",\n          \"Standard_M32ms\",\n          \"Standard_M32ts\",\n          \"Standard_M64-16ms\",\n          \"Standard_M64-32ms\",\n          \"Standard_M64ls\",\n          \"Standard_M64ms\",\n          \"Standard_M64s\",\n          \"Standard_M128-32ms\",\n          \"Standard_M128-64ms\",\n          \"Standard_M128ms\",\n          \"Standard_M128s\",\n          \"Standard_M64\",\n          \"Standard_M64m\",\n          \"Standard_M128\",\n          \"Standard_M128m\",\n          \"Standard_D1\",\n          \"Standard_D2\",\n          \"Standard_D3\",\n          \"Standard_D4\",\n          \"Standard_D11\",\n          \"Standard_D12\",\n          \"Standard_D13\",\n          \"Standard_D14\",\n          \"Standard_DS15_v2\",\n          \"Standard_NV6\",\n          \"Standard_NV12\",\n          \"Standard_NV24\",\n          \"Standard_F2s_v2\",\n          \"Standard_F4s_v2\",\n          \"Standard_F8s_v2\",\n          \"Standard_F16s_v2\",\n          \"Standard_F32s_v2\",\n          \"Standard_F64s_v2\",\n          \"Standard_F72s_v2\",\n          \"Standard_NC6s_v3\",\n          \"Standard_NC12s_v3\",\n          \"Standard_NC24rs_v3\",\n          \"Standard_NC24s_v3\",\n          \"Standard_NC6\",\n          \"Standard_NC12\",\n          \"Standard_NC24\",\n          \"Standard_NC24r\",\n          \"Standard_ND6s\",\n          \"Standard_ND12s\",\n          \"Standard_ND24rs\",\n          \"Standard_ND24s\",\n          \"Standard_NC6s_v2\",\n          \"Standard_NC12s_v2\",\n          \"Standard_NC24rs_v2\",\n          \"Standard_NC24s_v2\",\n          \"Standard_ND40rs_v2\",\n          \"Standard_NV12s_v3\",\n          \"Standard_NV24s_v3\",\n          \"Standard_NV48s_v3\"\n        ]\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n            \"notIn\": \"[[parameters('allowedVmSizes')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#119": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n    \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"notEquals\": \"Disabled\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#111": "{\n    \"name\": \"Audit-ResourceRGLocation\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,    \n    \"properties\": {\n      \"displayName\": \"Resource Group and Resource locations should match\",\n      \"description\": \"In order to improve resilience and reliability, you need to be aware of where resources are deployed. To aid this awareness, ensure that the location of the resource group matches the location of the resources it contains.\",\n      \"version\": \"1.0.0\",\n      \"metadata\": {\n        \"version\": \"1.0.0\",\n        \"category\": \"General\",\n        \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n        \"alzCloudEnvironments\": [\n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n        ]\n      },\n      \"mode\": \"Indexed\",\n      \"parameters\": {\n        \"effect\": {\n          \"type\": \"String\",\n          \"metadata\": {\n            \"displayName\": \"Effect\",\n            \"description\": \"Deny, Audit or Disabled the execution of the Policy\"\n          },\n          \"allowedValues\": [\n            \"Deny\",\n            \"Audit\",\n            \"Disabled\"\n          ],\n          \"defaultValue\": \"Audit\"\n        }\n      },\n      \"policyRule\": {\n        \"if\": {\n          \"allOf\": [\n            {\n              \"field\": \"location\",\n              \"notEquals\": \"[resourceGroup().location]\"\n            },\n            {\n              \"field\": \"location\",\n              \"notEquals\": \"global\"\n            },\n            {\n              \"field\": \"type\",\n              \"notEquals\": \"Microsoft.AzureActiveDirectory/b2cDirectories\"\n            }\n          ]\n        },\n        \"then\": {\n          \"effect\": \"[parameters('effect')]\"\n        }\n      }\n    }\n  }",
+    "$fxv#112": "{\n  \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n    \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n            \"equals\": \"Approved\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n                \"notEquals\": \"[[subscription().subscriptionId]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#113": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#114": "{\n  \"name\": \"Deny-Databricks-NoPublicIp\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public IPs for Databricks cluster\",\n    \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n            \"notEquals\": true\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#115": "{\n  \"name\": \"Deny-Databricks-Sku\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny non-premium Databricks sku\",\n    \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n            \"notEquals\": \"premium\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
+    "$fxv#116": "{\n  \"name\": \"Deny-Databricks-VirtualNetwork\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n    \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n                \"exists\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#117": "{\n  \"name\": \"Deny-MachineLearning-Aks\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n    \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AKS\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#118": "{\n  \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#119": "{\n  \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"allowedVmSizes\": {\n        \"type\": \"Array\",\n        \"metadata\": {\n          \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n          \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n        },\n        \"defaultValue\": [\n          \"Standard_D1_v2\",\n          \"Standard_D2_v2\",\n          \"Standard_D3_v2\",\n          \"Standard_D4_v2\",\n          \"Standard_D11_v2\",\n          \"Standard_D12_v2\",\n          \"Standard_D13_v2\",\n          \"Standard_D14_v2\",\n          \"Standard_DS1_v2\",\n          \"Standard_DS2_v2\",\n          \"Standard_DS3_v2\",\n          \"Standard_DS4_v2\",\n          \"Standard_DS5_v2\",\n          \"Standard_DS11_v2\",\n          \"Standard_DS12_v2\",\n          \"Standard_DS13_v2\",\n          \"Standard_DS14_v2\",\n          \"Standard_M8-2ms\",\n          \"Standard_M8-4ms\",\n          \"Standard_M8ms\",\n          \"Standard_M16-4ms\",\n          \"Standard_M16-8ms\",\n          \"Standard_M16ms\",\n          \"Standard_M32-8ms\",\n          \"Standard_M32-16ms\",\n          \"Standard_M32ls\",\n          \"Standard_M32ms\",\n          \"Standard_M32ts\",\n          \"Standard_M64-16ms\",\n          \"Standard_M64-32ms\",\n          \"Standard_M64ls\",\n          \"Standard_M64ms\",\n          \"Standard_M64s\",\n          \"Standard_M128-32ms\",\n          \"Standard_M128-64ms\",\n          \"Standard_M128ms\",\n          \"Standard_M128s\",\n          \"Standard_M64\",\n          \"Standard_M64m\",\n          \"Standard_M128\",\n          \"Standard_M128m\",\n          \"Standard_D1\",\n          \"Standard_D2\",\n          \"Standard_D3\",\n          \"Standard_D4\",\n          \"Standard_D11\",\n          \"Standard_D12\",\n          \"Standard_D13\",\n          \"Standard_D14\",\n          \"Standard_DS15_v2\",\n          \"Standard_NV6\",\n          \"Standard_NV12\",\n          \"Standard_NV24\",\n          \"Standard_F2s_v2\",\n          \"Standard_F4s_v2\",\n          \"Standard_F8s_v2\",\n          \"Standard_F16s_v2\",\n          \"Standard_F32s_v2\",\n          \"Standard_F64s_v2\",\n          \"Standard_F72s_v2\",\n          \"Standard_NC6s_v3\",\n          \"Standard_NC12s_v3\",\n          \"Standard_NC24rs_v3\",\n          \"Standard_NC24s_v3\",\n          \"Standard_NC6\",\n          \"Standard_NC12\",\n          \"Standard_NC24\",\n          \"Standard_NC24r\",\n          \"Standard_ND6s\",\n          \"Standard_ND12s\",\n          \"Standard_ND24rs\",\n          \"Standard_ND24s\",\n          \"Standard_NC6s_v2\",\n          \"Standard_NC12s_v2\",\n          \"Standard_NC24rs_v2\",\n          \"Standard_NC24s_v2\",\n          \"Standard_ND40rs_v2\",\n          \"Standard_NV12s_v3\",\n          \"Standard_NV24s_v3\",\n          \"Standard_NV48s_v3\"\n        ]\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n            \"notIn\": \"[[parameters('allowedVmSizes')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#12": "{\n  \"name\": \"Deny-AppServiceWebApp-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Web Application should only be accessible over HTTPS\",\n    \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"App Service\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Web/sites\"\n          },\n          {\n            \"field\": \"kind\",\n            \"like\": \"app*\"\n          },\n          {\n            \"field\": \"Microsoft.Web/sites/httpsOnly\",\n            \"equals\": \"false\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#120": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n    \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"maxNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Count\",\n          \"description\": \"Specifies the maximum node count of AML Clusters\"\n        },\n        \"defaultValue\": 10\n      },\n      \"minNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Minimum Node Count\",\n          \"description\": \"Specifies the minimum node count of AML Clusters\"\n        },\n        \"defaultValue\": 0\n      },\n      \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n          \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n        },\n        \"defaultValue\": 900\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n                \"greater\": \"[[parameters('maxNodeCount')]\"\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n                \"greater\": \"[[parameters('minNodeCount')]\"\n              },\n              {\n                \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n                \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#121": "{\n  \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n    \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"notEquals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#122": "{\n  \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n    \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"notEquals\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#123": "{\n  \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n    \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n            \"notEquals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#124": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#125": "{\n  \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
-    "$fxv#126": "{\n  \"name\": \"Deny-AFSPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n    \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n          },\n          {\n            \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n            \"notEquals\": \"AllowVirtualNetworksOnly\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#127": "{\n  \"name\": \"Deny-KeyVaultPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n    \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"2.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.KeyVault/vaults\"\n          },\n          {\n            \"not\": {\n              \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n              \"equals\": \"recover\"\n            }\n          },\n          {\n            \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n            \"notEquals\": \"Deny\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#128": "{\n  \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        },\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"defaultValue\": \"True\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Resources/subscriptions\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"[[parameters('logsEnabled')]\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"location\": \"chinaeast2\",\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"logAnalytics\": {\n                    \"type\": \"string\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"name\": \"subscriptionToLa\",\n                    \"type\": \"Microsoft.Insights/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"location\": \"Global\",\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Administrative\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Security\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ServiceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Alert\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Recommendation\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Policy\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ResourceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ]\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#129": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#120": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n    \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"notEquals\": \"Disabled\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#121": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n    \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"maxNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Count\",\n          \"description\": \"Specifies the maximum node count of AML Clusters\"\n        },\n        \"defaultValue\": 10\n      },\n      \"minNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Minimum Node Count\",\n          \"description\": \"Specifies the minimum node count of AML Clusters\"\n        },\n        \"defaultValue\": 0\n      },\n      \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n          \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n        },\n        \"defaultValue\": 900\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n                \"greater\": \"[[parameters('maxNodeCount')]\"\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n                \"greater\": \"[[parameters('minNodeCount')]\"\n              },\n              {\n                \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n                \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#122": "{\n  \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n    \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"notEquals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#123": "{\n  \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n    \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"notEquals\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#124": "{\n  \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n    \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n            \"notEquals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#125": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#126": "{\n  \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
+    "$fxv#127": "{\n  \"name\": \"Deny-AFSPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n    \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n          },\n          {\n            \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n            \"notEquals\": \"AllowVirtualNetworksOnly\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#128": "{\n  \"name\": \"Deny-KeyVaultPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n    \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"2.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.KeyVault/vaults\"\n          },\n          {\n            \"not\": {\n              \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n              \"equals\": \"recover\"\n            }\n          },\n          {\n            \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n            \"notEquals\": \"Deny\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#129": "{\n  \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        },\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"defaultValue\": \"True\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Resources/subscriptions\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"[[parameters('logsEnabled')]\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"location\": \"chinaeast2\",\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"logAnalytics\": {\n                    \"type\": \"string\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"name\": \"subscriptionToLa\",\n                    \"type\": \"Microsoft.Insights/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"location\": \"Global\",\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Administrative\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Security\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ServiceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Alert\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Recommendation\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Policy\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ResourceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ]\n        }\n      }\n    }\n  }\n}\n",
     "$fxv#13": "{\n  \"name\": \"Deny-MySql-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL database servers enforce SSL connections.\",\n    \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"minimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforMySQL/servers\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n                \"exists\": \"false\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n                \"notEquals\": \"Enabled\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n                \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#130": "{\n  \"name\": \"Deploy-MySQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforMySQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#131": "{\n  \"name\": \"Deploy-PostgreSQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#132": "{\n  \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n    \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"privateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"afs\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-afs\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#133": "{\n  \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone ID\",\n          \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"vault\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"keyvault-privateDnsZone\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#134": "{\n  \"name\": \"Deploy-Private-DNS-Azure-Web\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Web PubSub\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone Id\",\n          \"description\": \"Private DNS zone to integrate with private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"webpubsub\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-webpubsub-azure-com\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#135": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#136": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#137": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#138": "{\n    \"name\": \"Audit-UnusedResourcesCostOptimization\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Unused resources driving cost should be avoided\",\n        \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n        \"metadata\": {\n            \"version\": \"2.0.0\",\n            \"category\": \"Cost Optimization\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n              ]\n        },\n        \"parameters\": {\n            \"effectDisks\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Disks Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectPublicIpAddresses\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PublicIpAddresses Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectServerFarms\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"ServerFarms Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDisks')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectServerFarms')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"Audit\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#139": "{\n  \"name\": \"Deploy-Sql-Security\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n    \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"vulnerabilityAssessmentsEmail\": {\n        \"metadata\": {\n          \"description\": \"The email address to send alerts\",\n          \"displayName\": \"The email address to send alerts\"\n        },\n        \"type\": \"String\"\n      },\n      \"vulnerabilityAssessmentsStorageID\": {\n        \"metadata\": {\n          \"description\": \"The storage account ID to store assessments\",\n          \"displayName\": \"The storage account ID to store assessments\"\n        },\n        \"type\": \"String\"\n      },\n      \"SqlDbTdeDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n          \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n        }\n      },\n      \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n          \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n        }\n      },\n      \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL database auditing settings\",\n          \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n        }\n      },\n      \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n          \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n          },\n          \"vulnerabilityAssessmentsEmail\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n          },\n          \"vulnerabilityAssessmentsStorageID\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#130": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#131": "{\n  \"name\": \"Deploy-MySQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforMySQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#132": "{\n  \"name\": \"Deploy-PostgreSQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#133": "{\n  \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n    \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"privateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"afs\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-afs\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#134": "{\n  \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone ID\",\n          \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"vault\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"keyvault-privateDnsZone\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#135": "{\n  \"name\": \"Deploy-Private-DNS-Azure-Web\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Web PubSub\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone Id\",\n          \"description\": \"Private DNS zone to integrate with private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"webpubsub\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-webpubsub-azure-com\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#136": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#137": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#138": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#139": "{\n    \"name\": \"Audit-UnusedResourcesCostOptimization\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Unused resources driving cost should be avoided\",\n        \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n        \"metadata\": {\n            \"version\": \"2.0.0\",\n            \"category\": \"Cost Optimization\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n              ]\n        },\n        \"parameters\": {\n            \"effectDisks\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Disks Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectPublicIpAddresses\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PublicIpAddresses Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectServerFarms\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"ServerFarms Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDisks')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectServerFarms')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"Audit\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
     "$fxv#14": "{\n  \"name\": \"Deny-PostgreSql-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n    \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"minimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for PostgreSQL server to enforce\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n                \"exists\": \"false\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n                \"notEquals\": \"Enabled\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n                \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#140": "{\n  \"name\": \"Enforce-EncryptTransit\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n    \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n    \"metadata\": {\n      \"version\": \"2.1.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"AppServiceHttpEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n          \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceTlsVersionEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n          \"description\": \"App Service. Appends the AppService sites object to ensure that  HTTPS only is enabled for  server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n          \"description\": \"App Service. Select version  minimum TLS version for a  Web App config to enforce\"\n        }\n      },\n      \"APIAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"FunctionLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"FunctionServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"WebAppServiceLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"WebAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"AKSIngressHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n          \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"deny\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ]\n      },\n      \"MySQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"MySQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n          \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"MySQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"PostgreSQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"PostgreSQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n          \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"PostgreSQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"PostgreSQL database servers. Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"RedisTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"RedisMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n          \"description\": \"Select version  minimum TLS version for a Azure Cache for Redis to enforce\"\n        }\n      },\n      \"RedisTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n          \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"SQLManagedInstanceTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLManagedInstanceMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n          \"description\": \"Select version  minimum TLS version for Azure Managed Instanceto to  enforce\"\n        }\n      },\n      \"SQLManagedInstanceTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"SQLServerTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLServerminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n          \"description\": \"Select version  minimum TLS version for Azure SQL Database to enforce\"\n        }\n      },\n      \"SQLServerTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"StorageDeployHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"StorageminimumTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_1\",\n          \"TLS1_0\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage Account select minimum TLS version\",\n          \"description\": \"Select version  minimum TLS version on Azure Storage Account to enforce\"\n        }\n      },\n      \"StorageHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"ContainerAppsHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n          \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n          },\n          \"minTlsVersion\": {\n            \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#141": "{\n    \"name\": \"Enforce-Guardrails-KeyVault\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n        \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Key Vault\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effectKvSoftDelete\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvPurgeProtection\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvSecretsExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvKeysExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvFirewallEnabled\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvCertLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"audit\",\n                    \"Audit\",\n                    \"deny\",\n                    \"Deny\",\n                    \"disabled\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"maximumCertLifePercentageLife\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The maximum lifetime percentage\",\n                    \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n                },\n                \"defaultValue\": 80\n            },\n            \"minimumCertLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvKeysLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumKeysLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvSecretsLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumSecretsLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSoftDelete')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvCertLifetime')]\"\n                    },\n                    \"maximumPercentageLife\": {\n                        \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n                    },\n                    \"minimumDaysBeforeExpiry\": {\n                        \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#142": "{\n    \"name\": \"Enforce-ALZ-Decomm\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n      \"policyType\": \"Custom\",\n      \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n      \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n      \"metadata\": {\n        \"version\": \"1.0.0\",\n        \"category\": \"Decommissioned\",\n        \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n        \"alzCloudEnvironments\": [ \n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n        ]\n      },\n      \"parameters\": {\n        \"listOfResourceTypesAllowed\":{\n          \"type\": \"Array\",\n          \"defaultValue\": [],\n          \"metadata\": {\n            \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n            \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n            \"strongType\": \"resourceTypes\"\n          }\n        }\n      },\n      \"policyDefinitions\": [\n        {\n          \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n          \"parameters\": {\n            \"listOfResourceTypesAllowed\": {\n              \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n            }\n          },\n          \"groupNames\": []\n        },\n        {\n            \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n            \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n            \"parameters\": {},\n            \"groupNames\": []\n          }\n      ],\n      \"policyDefinitionGroups\": null\n    }\n  }\n  ",
-    "$fxv#143": "{\n    \"name\": \"Enforce-ALZ-Sandbox\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n        \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Sandbox\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"listOfResourceTypesNotAllowed\": {\n                \"type\": \"Array\",\n                \"defaultValue\": [],\n                \"metadata\": {\n                    \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n                    \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n                    \"strongType\": \"resourceTypes\"\n                }\n            },\n            \"effectNotAllowedResources\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectDenyVnetPeering\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectNotAllowedResources')]\"\n                      },\n                    \"listOfResourceTypesNotAllowed\": {\n                        \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n                      }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#144": "{\n    \"name\": \"DenyAction-DeleteProtection\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n        \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#145": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"3.2.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"PostgreSQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n          \"description\": \"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MySQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n          \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MlPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n          \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"RedisCachePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n          \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BotServicePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Bot Service\",\n          \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AutomationPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Automation accounts\",\n          \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AppConfigPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Configuration\",\n          \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"FunctionPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Function apps\",\n          \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n          \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service apps\",\n          \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ApiManPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for API Management services\",\n          \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      },\n      \"ContainerAppsEnvironmentDenyEffect\" : {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Container Apps environment should disable public network access\",\n          \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#146": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"2.2.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AVDScalingPlansLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#147": "{\n    \"name\": \"Deploy-MDFC-Config\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"metadata\": {\n            \"version\": \"6.0.1\",\n            \"category\": \"Security Center\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"emailSecurityContact\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"displayName\": \"Security contacts email address\",\n                    \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n                }\n            },\n            \"minimalSeverity\": {\n                \"type\": \"string\",\n                \"allowedValues\": [\n                    \"High\",\n                    \"Medium\",\n                    \"Low\"\n                ],\n                \"defaultValue\": \"High\",\n                \"metadata\": {\n                    \"displayName\": \"Minimal severity\",\n                    \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n                }\n            },\n            \"logAnalytics\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Primary Log Analytics workspace\",\n                    \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n                    \"strongType\": \"omsWorkspace\"\n                }\n            },\n            \"ascExportResourceGroupName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n                }\n            },\n            \"ascExportResourceGroupLocation\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n                }\n            },\n            \"enableAscForCosmosDbs\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSql\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSqlOnVm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForDns\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForArm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForOssDb\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForAppServices\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForKeyVault\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForStorage\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForContainers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServersVulnerabilityAssessments\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"vulnerabilityAssessmentProvider\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"default\",\n                    \"mdeTvm\"\n                ],\n                \"defaultValue\": \"default\",\n                \"metadata\": {\n                    \"displayName\": \"Vulnerability assessment provider type\",\n                    \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n                }\n            },\n            \"enableAscForApis\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForCspm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForOssDb')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVM\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n                    },\n                    \"vaType\": {\n                        \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForAppServices')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForStorage')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforContainers\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    },\n                    \"logAnalyticsWorkspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForKeyVault')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForDns\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForDns')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForArm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForArm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSql')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForApis\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForApis')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCspm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCspm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"securityEmailContact\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n                \"parameters\": {\n                    \"emailSecurityContact\": {\n                        \"value\": \"[[parameters('emailSecurityContact')]\"\n                    },\n                    \"minimalSeverity\": {\n                        \"value\": \"[[parameters('minimalSeverity')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"ascExport\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n                \"parameters\": {\n                    \"resourceGroupName\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n                    },\n                    \"resourceGroupLocation\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n                    },\n                    \"workspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#148": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"2.1.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationWebhookPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosMongoPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosCassandraPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosGremlinPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosTablePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPortalPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDatabricksPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureHDInsightPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMigratePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMigratePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueuePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueueSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLODPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseDevPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesKeyPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesLivePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesStreamPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId1\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId2\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId3\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId4\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId5\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Webhook\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"DSCAndHybridWorker\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"SQL\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"MongoDB\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Cassandra\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Gremlin\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Table\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"dataFactory\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"portal\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-UI-Api\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"databricks_ui_api\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-Browser-AuthN\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"browser_authentication\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"cluster\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Sql\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"SqlOnDemand\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Dev\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"keydelivery\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"liveevent\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"streamingendpoint\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n        \"parameters\": {\n          \"privateDnsZoneId1\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n          },\n          \"privateDnsZoneId2\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n          },\n          \"privateDnsZoneId3\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n          },\n          \"privateDnsZoneId4\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n          },\n          \"privateDnsZoneId5\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#149": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"HealthcareAPIsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n          \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#140": "{\n  \"name\": \"Deploy-Sql-Security\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n    \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"vulnerabilityAssessmentsEmail\": {\n        \"metadata\": {\n          \"description\": \"The email address to send alerts\",\n          \"displayName\": \"The email address to send alerts\"\n        },\n        \"type\": \"String\"\n      },\n      \"vulnerabilityAssessmentsStorageID\": {\n        \"metadata\": {\n          \"description\": \"The storage account ID to store assessments\",\n          \"displayName\": \"The storage account ID to store assessments\"\n        },\n        \"type\": \"String\"\n      },\n      \"SqlDbTdeDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n          \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n        }\n      },\n      \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n          \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n        }\n      },\n      \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL database auditing settings\",\n          \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n        }\n      },\n      \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n          \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n          },\n          \"vulnerabilityAssessmentsEmail\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n          },\n          \"vulnerabilityAssessmentsStorageID\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#141": "{\n  \"name\": \"Enforce-EncryptTransit\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n    \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n    \"metadata\": {\n      \"version\": \"2.1.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"AppServiceHttpEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n          \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceTlsVersionEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n          \"description\": \"App Service. Appends the AppService sites object to ensure that  HTTPS only is enabled for  server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n          \"description\": \"App Service. Select version  minimum TLS version for a  Web App config to enforce\"\n        }\n      },\n      \"APIAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"FunctionLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"FunctionServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"WebAppServiceLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"WebAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"AKSIngressHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n          \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"deny\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ]\n      },\n      \"MySQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"MySQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n          \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"MySQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"PostgreSQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"PostgreSQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n          \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"PostgreSQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"PostgreSQL database servers. Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"RedisTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"RedisMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n          \"description\": \"Select version  minimum TLS version for a Azure Cache for Redis to enforce\"\n        }\n      },\n      \"RedisTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n          \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"SQLManagedInstanceTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLManagedInstanceMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n          \"description\": \"Select version  minimum TLS version for Azure Managed Instanceto to  enforce\"\n        }\n      },\n      \"SQLManagedInstanceTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"SQLServerTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLServerminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n          \"description\": \"Select version  minimum TLS version for Azure SQL Database to enforce\"\n        }\n      },\n      \"SQLServerTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"StorageDeployHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"StorageminimumTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_1\",\n          \"TLS1_0\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage Account select minimum TLS version\",\n          \"description\": \"Select version  minimum TLS version on Azure Storage Account to enforce\"\n        }\n      },\n      \"StorageHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"ContainerAppsHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n          \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n          },\n          \"minTlsVersion\": {\n            \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#142": "{\n    \"name\": \"Enforce-Guardrails-KeyVault\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n        \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Key Vault\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effectKvSoftDelete\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvPurgeProtection\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvSecretsExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvKeysExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvFirewallEnabled\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvCertLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"audit\",\n                    \"Audit\",\n                    \"deny\",\n                    \"Deny\",\n                    \"disabled\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"maximumCertLifePercentageLife\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The maximum lifetime percentage\",\n                    \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n                },\n                \"defaultValue\": 80\n            },\n            \"minimumCertLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvKeysLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumKeysLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvSecretsLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumSecretsLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSoftDelete')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvCertLifetime')]\"\n                    },\n                    \"maximumPercentageLife\": {\n                        \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n                    },\n                    \"minimumDaysBeforeExpiry\": {\n                        \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#143": "{\n    \"name\": \"Enforce-ALZ-Decomm\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n      \"policyType\": \"Custom\",\n      \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n      \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n      \"metadata\": {\n        \"version\": \"1.0.0\",\n        \"category\": \"Decommissioned\",\n        \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n        \"alzCloudEnvironments\": [ \n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n        ]\n      },\n      \"parameters\": {\n        \"listOfResourceTypesAllowed\":{\n          \"type\": \"Array\",\n          \"defaultValue\": [],\n          \"metadata\": {\n            \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n            \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n            \"strongType\": \"resourceTypes\"\n          }\n        }\n      },\n      \"policyDefinitions\": [\n        {\n          \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n          \"parameters\": {\n            \"listOfResourceTypesAllowed\": {\n              \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n            }\n          },\n          \"groupNames\": []\n        },\n        {\n            \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n            \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n            \"parameters\": {},\n            \"groupNames\": []\n          }\n      ],\n      \"policyDefinitionGroups\": null\n    }\n  }\n  ",
+    "$fxv#144": "{\n    \"name\": \"Enforce-ALZ-Sandbox\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n        \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Sandbox\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"listOfResourceTypesNotAllowed\": {\n                \"type\": \"Array\",\n                \"defaultValue\": [],\n                \"metadata\": {\n                    \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n                    \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n                    \"strongType\": \"resourceTypes\"\n                }\n            },\n            \"effectNotAllowedResources\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectDenyVnetPeering\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectNotAllowedResources')]\"\n                      },\n                    \"listOfResourceTypesNotAllowed\": {\n                        \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n                      }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#145": "{\n    \"name\": \"DenyAction-DeleteProtection\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n        \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#146": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"3.2.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"PostgreSQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n          \"description\": \"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MySQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n          \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MlPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n          \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"RedisCachePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n          \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BotServicePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Bot Service\",\n          \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AutomationPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Automation accounts\",\n          \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AppConfigPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Configuration\",\n          \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"FunctionPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Function apps\",\n          \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n          \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service apps\",\n          \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ApiManPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for API Management services\",\n          \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      },\n      \"ContainerAppsEnvironmentDenyEffect\" : {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Container Apps environment should disable public network access\",\n          \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#147": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"2.2.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AVDScalingPlansLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#148": "{\n    \"name\": \"Deploy-MDFC-Config\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"metadata\": {\n            \"version\": \"6.0.1\",\n            \"category\": \"Security Center\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"emailSecurityContact\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"displayName\": \"Security contacts email address\",\n                    \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n                }\n            },\n            \"minimalSeverity\": {\n                \"type\": \"string\",\n                \"allowedValues\": [\n                    \"High\",\n                    \"Medium\",\n                    \"Low\"\n                ],\n                \"defaultValue\": \"High\",\n                \"metadata\": {\n                    \"displayName\": \"Minimal severity\",\n                    \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n                }\n            },\n            \"logAnalytics\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Primary Log Analytics workspace\",\n                    \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n                    \"strongType\": \"omsWorkspace\"\n                }\n            },\n            \"ascExportResourceGroupName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n                }\n            },\n            \"ascExportResourceGroupLocation\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n                }\n            },\n            \"enableAscForCosmosDbs\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSql\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSqlOnVm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForDns\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForArm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForOssDb\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForAppServices\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForKeyVault\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForStorage\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForContainers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServersVulnerabilityAssessments\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"vulnerabilityAssessmentProvider\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"default\",\n                    \"mdeTvm\"\n                ],\n                \"defaultValue\": \"default\",\n                \"metadata\": {\n                    \"displayName\": \"Vulnerability assessment provider type\",\n                    \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n                }\n            },\n            \"enableAscForApis\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForCspm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForOssDb')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVM\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n                    },\n                    \"vaType\": {\n                        \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForAppServices')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForStorage')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforContainers\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    },\n                    \"logAnalyticsWorkspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForKeyVault')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForDns\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForDns')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForArm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForArm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSql')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForApis\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForApis')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCspm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCspm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"securityEmailContact\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n                \"parameters\": {\n                    \"emailSecurityContact\": {\n                        \"value\": \"[[parameters('emailSecurityContact')]\"\n                    },\n                    \"minimalSeverity\": {\n                        \"value\": \"[[parameters('minimalSeverity')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"ascExport\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n                \"parameters\": {\n                    \"resourceGroupName\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n                    },\n                    \"resourceGroupLocation\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n                    },\n                    \"workspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#149": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"2.1.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationWebhookPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosMongoPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosCassandraPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosGremlinPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosTablePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPortalPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDatabricksPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureHDInsightPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMigratePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMigratePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueuePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueueSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLODPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseDevPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesKeyPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesLivePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesStreamPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId1\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId2\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId3\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId4\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId5\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Webhook\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"DSCAndHybridWorker\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"SQL\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"MongoDB\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Cassandra\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Gremlin\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Table\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"dataFactory\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"portal\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-UI-Api\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"databricks_ui_api\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-Browser-AuthN\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"browser_authentication\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"cluster\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Sql\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"SqlOnDemand\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Dev\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"keydelivery\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"liveevent\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"streamingendpoint\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n        \"parameters\": {\n          \"privateDnsZoneId1\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n          },\n          \"privateDnsZoneId2\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n          },\n          \"privateDnsZoneId3\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n          },\n          \"privateDnsZoneId4\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n          },\n          \"privateDnsZoneId5\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
     "$fxv#15": "{\n  \"name\": \"Deny-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny the creation of private DNS\",\n    \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Network/privateDnsZones\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#150": "{\n    \"name\": \"Enforce-ACSB\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n        \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Guest Configuration\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"includeArcMachines\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"true\",\n                    \"false\"\n                ],\n                \"metadata\": {\n                    \"displayName\": \"Include Arc connected servers\",\n                    \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n                },\n                \"defaultValue\": \"true\"\n            },\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"AuditIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"AuditIfNotExists\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"GcIdentity\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcLinux\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcWindows\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"WinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"LinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}\n",
-    "$fxv#151": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#152": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#153": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#154": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#155": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#156": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#157": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#158": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForDns\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForArm\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForStorage\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForStorage')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForDns\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForDns')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForArm\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForArm')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#159": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#150": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"HealthcareAPIsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n          \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#151": "{\n    \"name\": \"Enforce-ACSB\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n        \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Guest Configuration\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"includeArcMachines\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"true\",\n                    \"false\"\n                ],\n                \"metadata\": {\n                    \"displayName\": \"Include Arc connected servers\",\n                    \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n                },\n                \"defaultValue\": \"true\"\n            },\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"AuditIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"AuditIfNotExists\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"GcIdentity\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcLinux\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcWindows\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"WinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"LinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}\n",
+    "$fxv#152": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#153": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#154": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#155": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#156": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#157": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#158": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#159": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForDns\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForArm\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForStorage\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForStorage')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForDns\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForDns')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForArm\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForArm')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
     "$fxv#16": "{\n  \"name\": \"Deny-PublicEndpoint-MariaDB\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n    \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforMariaDB/servers\"\n          },\n          {\n            \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n            \"notequals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#160": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#160": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#161": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
     "$fxv#17": "{\n  \"name\": \"Deny-PublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n    \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.\",\n    \"metadata\": {\n      \"deprecated\": true,\n      \"supersededBy\": \"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Network/publicIPAddresses\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
     "$fxv#18": "{\n  \"name\": \"Deny-RDP-From-Internet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"[Deprecated] RDP access from the Internet should be blocked\",\n    \"description\": \"This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html\",\n    \"metadata\": {\n      \"deprecated\": true,\n      \"supersededBy\": \"Deny-MgmtPorts-From-Internet\",\n      \"version\": \"1.0.1-deprecated\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n          },\n          {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n                \"equals\": \"Allow\"\n              },\n              {\n                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n                \"equals\": \"Inbound\"\n              },\n              {\n                \"anyOf\": [\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                    \"equals\": \"*\"\n                  },\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                    \"equals\": \"3389\"\n                  },\n                  {\n                    \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n                    \"equals\": \"true\"\n                  },\n                  {\n                    \"count\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"where\": {\n                        \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n                        \"equals\": \"true\"\n                      }\n                    },\n                    \"greater\": 0\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"notEquals\": \"*\"\n                    }\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"notEquals\": \"3389\"\n                    }\n                  }\n                ]\n              },\n              {\n                \"anyOf\": [\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                    \"equals\": \"*\"\n                  },\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                    \"equals\": \"Internet\"\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                      \"notEquals\": \"*\"\n                    }\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                      \"notEquals\": \"Internet\"\n                    }\n                  }\n                ]\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#19": "{\n    \"name\": \"Deny-MgmtPorts-From-Internet\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"All\",\n        \"displayName\": \"Management port access from the Internet should be blocked\",\n        \"description\": \"This policy denies any network security rule that allows management port access from the Internet\",\n        \"metadata\": {\n            \"version\": \"2.1.0\",\n            \"category\": \"Network\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"ports\": {\n                \"type\": \"Array\",\n                \"metadata\": {\n                    \"displayName\": \"Ports\",\n                    \"description\": \"Ports to be blocked\"\n                },\n                \"defaultValue\": [\n                    \"22\",\n                    \"3389\"\n                ]\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"anyOf\": [\n                    {\n                        \"allOf\": [\n                            {\n                                \"field\": \"type\",\n                                \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n                            },\n                            {\n                                \"allOf\": [\n                                    {\n                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n                                        \"equals\": \"Allow\"\n                                    },\n                                    {\n                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n                                        \"equals\": \"Inbound\"\n                                    },\n                                    {\n                                        \"anyOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                                                \"equals\": \"*\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                                                \"in\": \"[[parameters('ports')]\"\n                                            },\n                                            {\n                                                \"count\": {\n                                                    \"value\": \"[[parameters('ports')]\",\n                                                    \"where\": {\n                                                        \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n                                                        \"equals\": \"true\"\n                                                    }\n                                                },\n                                                \"greater\": 0\n                                            },\n                                            {\n                                                \"count\": {\n                                                    \"value\": \"[[parameters('ports')]\",\n                                                    \"name\": \"ports\",\n                                                    \"where\": {\n                                                        \"count\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                            \"where\": {\n                                                                \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n                                                                \"equals\": \"true\"\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    }\n                                                },\n                                                \"greater\": 0\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                    \"notEquals\": \"*\"\n                                                }\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                    \"notIn\": \"[[parameters('ports')]\"\n                                                }\n                                            }\n                                        ]\n                                    },\n                                    {\n                                        \"anyOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                                                \"equals\": \"*\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                                                \"equals\": \"Internet\"\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                                                    \"notEquals\": \"*\"\n                                                }\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                                                    \"notEquals\": \"Internet\"\n                                                }\n                                            }\n                                        ]\n                                    }\n                                ]\n                            }\n                        ]\n                    },\n                    {\n                        \"allOf\": [\n                            {\n                                \"field\": \"type\",\n                                \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n                            },\n                            {\n                                \"count\": {\n                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n                                    \"where\": {\n                                        \"allOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n                                                \"equals\": \"Allow\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n                                                \"equals\": \"Inbound\"\n                                            },\n                                            {\n                                                \"anyOf\": [\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n                                                        \"equals\": \"*\"\n                                                    },\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n                                                        \"in\": \"[[parameters('ports')]\"\n                                                    },\n                                                    {\n                                                        \"count\": {\n                                                            \"value\": \"[[parameters('ports')]\",\n                                                            \"name\": \"ports\",\n                                                            \"where\": {\n                                                                \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n                                                                \"equals\": \"true\"\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    },\n                                                    {\n                                                        \"count\": {\n                                                            \"value\": \"[[parameters('ports')]\",\n                                                            \"name\": \"ports\",\n                                                            \"where\": {\n                                                                \"count\": {\n                                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                                    \"where\": {\n                                                                        \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n                                                                        \"equals\": \"true\"\n                                                                    }\n                                                                },\n                                                                \"greater\": 0\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                            \"notEquals\": \"*\"\n                                                        }\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                            \"notIn\": \"[[parameters('ports')]\"\n                                                        }\n                                                    }\n                                                ]\n                                            },\n                                            {\n                                                \"anyOf\": [\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n                                                        \"equals\": \"*\"\n                                                    },\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n                                                        \"equals\": \"Internet\"\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n                                                            \"notEquals\": \"*\"\n                                                        }\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n                                                            \"notEquals\": \"Internet\"\n                                                        }\n                                                    }\n                                                ]\n                                            }\n                                        ]\n                                    }\n                                },\n                                \"greater\": 0\n                            }\n                        ]\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\"\n            }\n        }\n    }\n}",
@@ -406,10 +407,10 @@
         "[variables('$fxv#107')]",
         "[variables('$fxv#108')]",
         "[variables('$fxv#109')]",
-        "[variables('$fxv#110')]"
+        "[variables('$fxv#110')]",
+        "[variables('$fxv#111')]"
       ],
       "AzureCloud": [
-        "[variables('$fxv#111')]",
         "[variables('$fxv#112')]",
         "[variables('$fxv#113')]",
         "[variables('$fxv#114')]",
@@ -423,10 +424,10 @@
         "[variables('$fxv#122')]",
         "[variables('$fxv#123')]",
         "[variables('$fxv#124')]",
-        "[variables('$fxv#125')]"
+        "[variables('$fxv#125')]",
+        "[variables('$fxv#126')]"
       ],
       "AzureChinaCloud": [
-        "[variables('$fxv#126')]",
         "[variables('$fxv#127')]",
         "[variables('$fxv#128')]",
         "[variables('$fxv#129')]",
@@ -434,45 +435,46 @@
         "[variables('$fxv#131')]",
         "[variables('$fxv#132')]",
         "[variables('$fxv#133')]",
-        "[variables('$fxv#134')]"
+        "[variables('$fxv#134')]",
+        "[variables('$fxv#135')]"
       ],
       "AzureUSGovernment": [
-        "[variables('$fxv#135')]",
         "[variables('$fxv#136')]",
-        "[variables('$fxv#137')]"
+        "[variables('$fxv#137')]",
+        "[variables('$fxv#138')]"
       ]
     },
     "loadPolicySetDefinitions": {
       "All": [
-        "[variables('$fxv#138')]",
         "[variables('$fxv#139')]",
         "[variables('$fxv#140')]",
         "[variables('$fxv#141')]",
         "[variables('$fxv#142')]",
         "[variables('$fxv#143')]",
-        "[variables('$fxv#144')]"
+        "[variables('$fxv#144')]",
+        "[variables('$fxv#145')]"
       ],
       "AzureCloud": [
-        "[variables('$fxv#145')]",
         "[variables('$fxv#146')]",
         "[variables('$fxv#147')]",
         "[variables('$fxv#148')]",
         "[variables('$fxv#149')]",
-        "[variables('$fxv#150')]"
+        "[variables('$fxv#150')]",
+        "[variables('$fxv#151')]"
       ],
       "AzureChinaCloud": [
-        "[variables('$fxv#151')]",
         "[variables('$fxv#152')]",
         "[variables('$fxv#153')]",
         "[variables('$fxv#154')]",
-        "[variables('$fxv#155')]"
+        "[variables('$fxv#155')]",
+        "[variables('$fxv#156')]"
       ],
       "AzureUSGovernment": [
-        "[variables('$fxv#156')]",
         "[variables('$fxv#157')]",
         "[variables('$fxv#158')]",
         "[variables('$fxv#159')]",
-        "[variables('$fxv#160')]"
+        "[variables('$fxv#160')]",
+        "[variables('$fxv#161')]"
       ]
     },
     "policyDefinitionsByCloudType": {

From 5daff48bb52290c7d0f4a0b4a5690c68c7c5a33f Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 14 Dec 2023 20:23:01 +0400
Subject: [PATCH 4/8] Minor What's New Update

---
 docs/wiki/Whats-new.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index f908117221..123f8e0d58 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -44,6 +44,8 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 #### Policy
 
+> **IMPORTANT** We've updated the ALZ Policy FAQ with important information about the new Diagnostic Settings v2 policies and initiatives that are will be landing soon. Please read the [ALZ Policy FAQ and Tips](./ALZ-Policies-FAQ) for more information.
+
 - Added new initiative default assignment at the Intermediate Root Management Group for [Resources should be Zone Resilient](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/130fb88f-0fc9-4678-bfe1-31022d71c7d5.html) in Audit mode.
 - Added new custom policy and default assignment at the Intermediate Root Management Group for "Resource Group and Resource locations should match", which will help customers better manage and identify regionally deployed resources and ultimately support improved resilience.
 

From a82714b1aa28e62a9e5824029a38615222c3fbbb Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 21 Dec 2023 16:51:36 +0400
Subject: [PATCH 5/8] Removing custom policy and using the built in.

---
 docs/wiki/Whats-new.md                        |   2 +-
 .../wiki/media/ALZ Policy Assignments v2.xlsx | Bin 37300 -> 37411 bytes
 ...IT-ResourceRGLocationPolicyAssignment.json |  20 +-----
 .../Audit-ResourceRGLocation.json             |  58 ------------------
 src/templates/policies.bicep                  |   1 -
 5 files changed, 2 insertions(+), 79 deletions(-)
 delete mode 100644 src/resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json

diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md
index 123f8e0d58..43c098685a 100644
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@@ -47,7 +47,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 > **IMPORTANT** We've updated the ALZ Policy FAQ with important information about the new Diagnostic Settings v2 policies and initiatives that are will be landing soon. Please read the [ALZ Policy FAQ and Tips](./ALZ-Policies-FAQ) for more information.
 
 - Added new initiative default assignment at the Intermediate Root Management Group for [Resources should be Zone Resilient](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/130fb88f-0fc9-4678-bfe1-31022d71c7d5.html) in Audit mode.
-- Added new custom policy and default assignment at the Intermediate Root Management Group for "Resource Group and Resource locations should match", which will help customers better manage and identify regionally deployed resources and ultimately support improved resilience.
+- Added new default assignment at the Intermediate Root Management Group for [Resource Group and Resource locations should match](https://www.azadvertizer.net/azpolicyadvertizer/0a914e76-4921-4c19-b460-a2d36003525a.html), which will help customers better manage and identify regionally deployed resources and ultimately support improved resilience.
 
 ### November 2023
 
diff --git a/docs/wiki/media/ALZ Policy Assignments v2.xlsx b/docs/wiki/media/ALZ Policy Assignments v2.xlsx
index 86aad013cdf896bbf1d3fa737710e77bd9c18666..80fef44bf4249ed7f9da16f981321d326e50d885 100644
GIT binary patch
delta 14022
zcmYj&b8sd=?{NFnxY};7wr$(()wa#+J+=MRwryN(yS>`Bef{qJ%{TMD`$uMXGqcDh
zlVp=L6#@#20ChevP$YfQLYE*Q3;}T6VV@Jlk7*XD90K-UB)vG*fZ|K4tI8$Oz?{W?
ziUp0RQ@}u$SeEE^LGlN9t=w&~$+%$$5w;k=xSO8NR#+K#Ua^=1hn=(}K&Y?NA$b;k
z*kthVuzjueeU^jNIeR~Gsi?FEB_DY4^|7!Nd0UEWs)Pr&SWt?s%9(E+Sp_7)#7eCq
z<+zx{t*wIuG0D$41-h!BkX6n%F-&mL$=mt`q1?GL|M{uNhSq4OouK0&%uQ1d`Bsn@
z^Cw?pmB$J5NNHktRBH)rFgiuOyD6_j(|q@_z=B{#*2y=9-+pTMctEJZsLqqCZ+T1u
zbBY_?j*$s`Z6jXrmROro)Db9JCm7S`EnPD<#-_ou(YW`QPy5xE{tGO$ida&Nq*{}X
z6!JRTYAYwR`nmR~i5waK)TYf^a9`HEVzC(wA^ku-@pq|buNmE)MF3M~Ut&s~t!Mn@
zxdo8v7!?M>g*Z9!22YOFtQoT0zWl4KO6S73Pk3-G?W4IUOZd`1xEDx><BYYJj$^EC
zC1>#Tz@GIXdsupCCyz%->G>_J0|SlLIT4HjsfA=%KU9u&Oq-ID?oFHubBrd3;1oR<
zYXGQBJ+1C94?7<Ea`d_m1`Z^;Qs++83pzf3fo63M%Oz!s_cQvFa>)Tn#IwM=Pnyx~
zLlg<1YKR$aK^wS~gaCdQwzhdG7eM5#&*c7fOvgR&$!zLH6J<Y+>89jK+C!z=>eaO_
zqS;pT8Zcbh{K>ZXF;%zzUO}Kabs3PD%pES4zV?=|%%l70HUP&@ah5s&(5m!!PB>~f
zIaS<Qe{WU_W`xhPD->oB#iX_o_~dZvC?{^OH!dtQZ4)!Y4Fa}h;)smIhSeVzIis{D
zO@3FjCx&vktXismD$EpWMy0cUDv%JJm8i}rnx(gV8S==Bt6Z)OM4sVS|8aj#Kx6m?
zWi}Y$eAnRn(6C8sDn&u%ssqwnB1PeAXn80(Z>V7`rO{}{G>x#-Lea>{+wLUf3YQnT
z&nl};*!sHBPX!8oxS;Ci-R!j@AnT_~VF!wDCkEg*psp+~R@6q(^C=&U>1@HSPAj`$
zGz93;ooVT>)S->AZRFYF2b}*Io{hO2JSTT%y-6ZkvSj)Y$^h!V?q2y;Xkn#I_{KI;
zl|8YfBa_I};#I&0T(hhOU?bAQP<PPCe#3Sb;f2`d_-)7S{u?PWEFzU?l=k`f+O8{L
zwOgT1Pjp80vZ7gxqhx*QbMI$k-PC)g0eY<I;po%lHQ{fFYdM#r-G|-Dpn;jz=T^&{
zE}5&+xYPEq!gUdXY@i@sTp`o*7;z`vBoOh0a@WSr+~&$`{tF+p^9=)p8->(ZgrE$7
z2lr}JoWcPEa}Ngn{YC;@k6mL%3B9I!BqZAg4SJx#l69JRYP<VtJbKv^Kw!zp+c)}G
zbo-7>gBK;!YQf=vxVI;T?)e(uP4%H_Me)ls0K3eR0ak6a=8cTAao012aPZOQ3S+cO
z;ehO5k!Me0p-CiJ$0<oze6V~Ls5Pz5Ov!{@d=)nIifpT$X<6WDhW1P4O2VpjpX`^i
zz65z}W0^&R2!nA&t#R3stjlfDOE*@GJ*kfRr0A!`ch8d2r4Ky4sRxf9d}obou==Fr
zCMskJk*QLqb4lx#D&c2Ts%RLgZ^Qt@wbI*_ZL<oBmGQFVZvh0&96iaoQr?3v!akK>
zw1|pi3<kycJGelJtsiKLFjzbTCw#`MV6K<*3tjXG4=_ygX@X{6;tSraveeU3$UGE<
zLnb1*L<>puN4JJ<Tyzxjf6C#Tv@oq=OLNtt3p&%eW|e4=j!X!(T0SUg`>OrPaiFGi
z<%(Mz_7U_V!L2`_!^}3uf80`6z>ktFeK>$nQc3Vw^=g3cb~9UZhHlD{nCm~DR5W_b
ztht~vf~_;mK+chGzJ^P?p!oBcki<mh07h<ng^2|aGr<RfdB|e%K?OkY1G?Gm80BIl
zwmLRNVVE@5_3Y1ZPS$s0<Zb-QGse#ADPb^$9I)G2G-@~+3YMV*9ccL}HWClS#BEI|
z>L<u>LU7}eV@iDr$jC?7a6i;rdkHf_a1$x%o9b#DPsH%9czhVZwMs37iJ=5q?1*WG
zp3vfNQ{fBTo!s@%$lY(-J_uM{SZI`RihCFRc(d1Ee-Mz7rcMs{H>1#*5myMQ9j}34
zjS(o{Ac0Unp$R5sU62oG=Zw}klILua$yrJPUFA&;Z??&!PT?4+TRzCFVI$&%zdPJe
zsnN~e(Y@h)6k#ScyLj>JY|VKj8m_DZmcKc)ChV55ZmjpWo;}+X*SHWTKJNyp7sn0$
zseo|~9>W;H+wg}FakiTZdL30dhubUrGtys$uLoT6p_Ol(Jy)dKIun7E4ZnANoHoM)
zUpTcM!wFy&Zs9;RwXB?Y{oBEC{a|+>9B|>43^-j@2WW5vr*A{qETa(epe77BI)1d?
zHS_0~u9!G9yOK$ECnH8*D)gr5ikp_hAw{=KU`Va6_p6T;33?f?jfpdglc)dA_l(Ip
z<prYCfE_ZrD3Q9T1VFQ;lX+s2#B1-FFT1l^L#gCFoB8}`=$01c6c?v<9BgeE7xL(}
z0!KAsWzLZY#|G?OH2oxztb{RX@}i#PO<xR5hhI>nY#;$>7#!QT*@{<p5E%;RHDOaj
z9MD4P!4gbfeR`4HM>5BsHbGYC!|FZ;G6Kb=82>GPJ)lo*xhR4^v%k`r%8HAV3g^JD
z1rB~+Pl1dhM`>hdc}Mrnra<Y?wHXva5H9_=!_a1X5Y6MGpE=gsCJFu(Fsv$sj8jYW
zv#M*&n_}9hZ-K&uR$lizD=}GSBG*n0D*LI9M~pt$IG8uhRY0OS+P9L{Q!8e=As}fy
zkp!_^UWZToU^e_B<Ior|oE-GL?MpWlP)}Psb%5mK=T02Xl5RvV(C^Rf`|6MzUJvDn
zTPaJqo`hABEq}l-&Pj1Sr~kc;Do<O;1N`4z<%l3zldYI5i3sk_0sz{Nb;2=cq+W0Z
zR1jn&i?8iID_r^h^=G8LW=8UqkVbY>g&=HfV)X^@B5t2J9GsQWkvq99X5wlhBl-z)
zBh3-9<An-S<7K?fh-Ee7HN1pply;>J-{;GSgURe117QMlR%S-DHgF%`<l*^4Bphrw
z!PK0}RPJPH9|ce(HZKsHe9^<7`}vF)Y#;Acs|IyaiV1D*=K~okOJd_lzdD{ZltEgH
zq!|w+?akJ@!wM{;lyr9-%CUh`iobKr4sBqyJ2Uab_d3QVrNCD=nHg(@CM=rOQ^SBQ
zbsa*umD-SmQxtC|L_Eh!kPkDU37PP_GW4iB{2wIlGzt*R9TadTeF-6<*hMStEJ+hW
z!CcZld(<oZLUzmBmy^ddRqve>6fx(jWAt+f!q&u;wlDZ04-2|6Xsy4haSX`@VZq>T
z)Gf`m@iWD|*ZriA;ZNBm%0I!#Q4q{H7iUx52Zz2#ivwuK98ZfibdH)gwWyj26!k{Q
z`t|yPQQB8c1_2oj@(~mC%6q3^vJ&i-!LPv~w2NCID>$h;WAw;4lJQ1;VSl%~{i>N;
z0f6j+B872D(BX09Xb9v}1^wxZnd3FlpejP<@7Dm$A!HC_bz<LUCv7Rf<?$YRIRWN@
zi>?%soBSph!`PxW7^FoW1_6xQFSN?KG!3L=vQT>A;J_=i6Pc0!2y>1qI57Z5treD}
zQ(PwCA?dGH-kRqUS0?--)|o7w39J@suiMj}1>`u`sx>-GimH*8TZfDa$z_4na+moc
zs}6;FZH`LBBELOe&BOQUnWfA{z2H&eLJ{fCP1q#VL?KzRXd0+giie>f2*^AANI=BF
z2wK?|u=t@k9nh?HCi}z0|7tV2U>)vF%7!|zyE)#OTZ7gK8vwI_e*meiIA@fi_6wiv
z^s}`*dRa3vD`J!p>avqgLZG|j5JIFO#nS(0CcG9pcN!5t_yLbZ<1(le%}QU1yvtGu
zv#feCIh73h<X)eqjkhkr@EA6MH-uHV1|zxzXhE!?Tf0XDb{7Z`{L*AtMJr>ZUIa1x
zBM~b#8IJ@Prd=+;if)!0G7mAH4wISMiMgu>5Pys@rDK@F7+|5YZ79VSR3L0$yqMSa
zV#y2L0VL@ulJbWJjX=<VAe;qZ(wM-HP>gZ_lPtaRA=a{uUGoXtLZ!8~HfZ2UJ{mxp
zf3MWEKp`0=Kp+o-C6$S%3T|4XQ|{V24e$+EQ%#_n`}xBO;Ri}$_Xec$*-~P-a5@P(
z?M*2ubu42hjK5v;fG}&JX@E`kK`R^P$+r93%imVPFJv&VuP?CwfZsaSj`(AkA9SJq
z2kVV*f?1Ey0-J0RT<0;U$6!xUKo+UE!76e1gHZ#XQJ_+cncR2hU}ehYc+&8ODH@NS
z!iuf;nr;Hkr9HdRbL{ht9zpnzCFBg^t{3;uGnct8!8c?k4p7K0xw~=^`LntgO&Psh
zdckr5;zf_t$TrZ^$30=iGU|{ib8Lpo@lBGTOREQO+u^fhAk#ByYDn7;`1p3>hQr8N
z8yhF&_x8~6SI?99-bd@_^m*z8Kfy{alcr_VlTE!IV${FM$;?imbJpF^>RIGg39YIg
z!~4+K#KP{!1(D0SgcGKB30k?TI6RqCWcQ6qCJCL&megOU>Wn<7JBR{>s5i6rHN+?n
zF`*j8{szHLJVX9qMtx(Two&451&Z<=cBouPYg7H=$OBB|#@R>64t_+pt%;6nA0<Lt
zfpSfcgQUx`*BVYeiwT=&lpYgS$SZhRiJ<@?Zd&zz1xN;NQR$Rle@~_$g=%(Dq-x!n
zTr=_K*JM=%JP%@4$b)Y+n@SoheueiuXhdtc4Q8?QI`Ttd@@R(uk=0p@$<P~*9jRWN
zvBP>Dn-692MC`K}XpY!khkYybmnYALpWOd#X(^I2u4&dJI?u~897mlnfX6dI*GJqp
zvw8rr!<zF1PI*d`G`BV;PpcbNwwr;sU{+CVow?jnWBe($*g`Kprbebx<gcpc1*xr~
z8nBIftO_4Elfw&qMqg|Tbd<c*NR`->8LyJqXmM9^hxzDGYq8d$;%j$bt~%glrh*L{
zmzJn4LkSVDmXR=-r<$3kw+WE-(#6~)D$`F{y^%z-RZa^zVOQ)rN4@E4^jop2eSFmZ
zs-MVwa_{8rDO-6Bo3eR*fBV=&wrnRhF#NH%J$A#VvO5FR6Bw@T(LCt%{mZol39Ls5
zME;-{Sa}huA?`HD%KA$=gV{Qh%?^Xb@H{CgtCGh9YcZxhop3any2esY#|N~fu54`$
zZF@h`lJoYKxMsv}YU8>lDgl^UL}w)y$is^71L8@;k|YA14!Z8|p`_*cdef%fcYT4Y
zd6)}5|2)FeGnc$v&UJmw<l<OFm<ZSJ#d|of<|J9w?DgR)FD8FUN}F?p(lO<2Vmt|L
ze_oee^RvztD)6L2xi^&iuGZDK9(nHru_1{!cK3m$$8YT~$NW%(J`&{*Cy_F8N!k%e
z_7XJC_EkTNmf_Va_!vD&eAF4=mpZ1@8P^||hHik*?p+)7p$wXR$&A|C@iZK1;fW^)
z=E>4nvg&KhMY0_DHZE&RFCgzZf#ryz&o3ENd5Qroef~Qy`8CLC)VbK=hAr|dHPqt-
zMPC4r6(WPgy+%USjiY%rsGt3NI=iYG)6dJ|seZPn8~+##ihdDvIpL~cn2UlY4EMum
z%PpXF>5=jF_ZKBfLG(Y70miH&B9827QS&Kh^tf;ki|t&pPk%}6zO|HSpN{c?*PyD2
zgm^@xVM9Ms-?2_%%kfkn{v_^zU|oKe4Zv(Qh@Y>9TsXxiahYV9!_{3sW)SHlc_BeI
z4D|4+@hO7j(GAGJN({J4W{Jn|q0qpflmr2*obTs2F|B?QcmK%jR#6Sw;SebJrWcpt
zQ{-Y#<ukNib??#S42_E}nSvL;-hqJ;*^lOBbXufdY;sSpv1L2;jv{Eyd)OF+=fq(2
zOr{2Mg}K=AlV?wPo{@j?5V_fn^&*VExqR73u!$9S6@4*5)X-L^{)Ut&np}n)Ac6*j
z(h!j-9#qXpEpn+il`Ou^tUyri3jbR&TC5_4IhUs-r2tJZVP%^w?II{s;-_;V2H7>O
zzYkej6GWt1Hfscjf;Ws);%2eNewKc^gaj+NF_#r2vCf$L@z(xf+>{KE*9vN;vs#<;
zm1S1g;b$%^q;02Zy18HBOl~L?{Wt<z?N^T(_#^mk2Vq)PkF|D@EW?*~Xtr-{FSb~!
zh5RF*5%PAT$FHm9=KMfkd}k#jb=cqE0F!Ju(Xy^ilX(cr1>O@*<IF=K?b~3mTOF>p
z96XaPlJzyBm0>%Cb0wFBrr)PMS|~G~_IxB>NGy#LR6YM$Ok{%10Zm@A515yd?SetZ
zua=us8Sg1G>P?w{rQHR?Do@q_S6{z}DRpzmrk<ch-e4F+w^OZ#`G8}xtf~@lR=|CN
zL-LUBvr`3pEG-omB^agr+$-(TWfEK#D|uM(ee-UfWGh3M>IzCVusMN;{;`Qr6mC>e
zRn$10azB4$AjBKbl~H|33UnoZ<c!;5Pa{wjS6$a)a6N8dea+V?<Ni5TgkS<C<%jhG
z4O#&)?#fB2)EONu^>>YbnAI~24c*v(UteBcl-?FD4)E=_ct~=u=G%U5x#j9G?l+5W
z7WG18by}oWmBqy9x9Uu)uS*P=34h)7&){V=A>O($yOd`@B)}F_1p*eS+M)@KT+2wx
z7^fYn`yf5QuL_De)b;Nz5RFGQFrj4>scpY8F&C#hMl3i_f~@a9+AaHdk92Ozrm5Qw
zO1?vk_+U(E_p_O|TepU?I=NQECbY%Cayk*;=|H2+)4`!nYItn1s;j9m<xG+s3-$e&
zI8aJ`?9g3_YW(&|0W|z<?B-v;Q%GzL?PDj8VIzXm3qEMbqGgDQ4u#pt&81Z6T(c@5
zFv+>a^m@6ql*P4pcpV5*Owff=Q3BJ?Lnxf)K8F}|yP1QWxbY*pe#kovfR0i7eSL1e
zQuS-|PN8Ca6re>&ETQc$aVU#$#G%+{;-o1qpoCx29kCI{3A8GF+sN}}?<$`I80WB8
zSckg<4EZycH@xyd(N)4W@*(4-T99H@{%uBh;MrB?X(-O7$NQoR6mwPuKiOoyrEZ$!
zF)18NA;vAZu&sO0{z=9hI2N-Ok-q^W#U=?Ix2Yo1+i^Uurs25cb0L<RYRZaIG*5$K
za9CYVvtSvb0j?C>>#v){x0z$T;2<s_CIdE6m)T`~nQ>$aCHb(2MK->dbEQP+X1co}
zJ>B1K=VT#YYn~g6E%~@BI;P;f4E))4nKyyQ3_Vik8DxfsqJ_eTfLz5P`!FdzlDHcc
zz1q3jFVb%;CER^u#UtGTiyGbi(EzK!M5|<UR#8#K2JD}jA(FIwM7jd;?f#VLjyMF;
zGjX-Q>uyys?pisLm3#ubaIlV}X0(j87>IM)&^gtSx|HFxvTqnw&dCg1CMf8FL`Nq_
z9<5Bb{et~A$SrK5oZ-aU0l>iXkbVj?IX_e5R%t4mW{!tN-WwwkFy?#6Cu$YmBxwA;
zj&O!#Akq~odh~Xs7tB=%X*W{~r8OzVR3OFG?6yWQa;&UAiiPI9I%A2}WY`0DVuyfH
zb6mh3LkL6^?G5~}$JCM)wcHJ#8cBEIlT~O)vvbbDm@gg1I}WUoS5DMcd@XL;uVH(x
zJfA^t2nu*W+2=B>A;O@jznzCx4emZ!%z%>uQ0J{*LN~paXl&FvT@!|g?y@%_5G1>A
zL?byV#Ei4A9H*u03{6!N7)qXb9rBZQcrk$7j2j<2KZWW+uvUn1?c-Q4_gg8l*m@YX
zo<{63KN2B#s0mVgSaD{5vQ}fC*?Yp=dD2P@-V4g_D=fB_`jqye?q!p<wE_={My+mD
zU~rk_W-llFs}@h9xoUi0pB!7Qx0KQ$BR(=Yu_I|ub?T#x;LJpIY<PSbv*zGirt&_e
zCWnKkcr*$60Aw`=>DcQV|5+tpFHB-otN*rJFRyENh=ycYK|ukSaj1UP7z^SMiz@mU
zIr#9cG++A<PNYTDx&F7|_8cvtnpk6R;I{|%eR>f_2}^I=&P<*mH<s`I*5qX%QU5T1
zInz;m#1=NhhYoB+8D7JeVUgL*fa@g`mFK#a;Edy4A5+h<!W&%49dB5rs!-UjW)?~}
zH=_j{by;<5Ow1tD+8VAcdQ)EGJ6}@~LZxSNCKPwa^T#ohc5mmdP}f0&SmJ#j1&*Vm
zV`KMQpAR_F?W#~?_rH%z)-|2Ki45~k9x5?$Hm49SOk%I!1(8#+nKaL#$PP1nehYSh
zK?JK4l)xO0Y)<VfRX#FhE@XvWf5H6c%d&BTlAQ>i?&&XLA_f>3tU3rz;$PgtWnDVa
zZ#(=o48ALx(D-ccskn3G36es#rGO&cblk&D=|T*ZI?*Zs3?E9mq}!s$yvI(_0`m$?
zTiuo)zn<w5E1=_0K*?fvYP*L)%()VcaByzDtMGF`AfJrsDah)t$MyZ=>duHjz8dZ;
zYxMU=569|<t?lj4!=5dxY<OUF%)@$@L`KaoLGIZtQHJ8JxF59rAnh!A^GG4kYk&cT
z?3+)%dIutM4lz+Tuhuxp8oEK2#OZq1N^RVeI2IJp>}>Gk?qg`8%hS>A=1Sqsq0F5*
zE`?ThXmH?SZ|v~B)Ddak(-G+;WLfTqOL<0|lns`+NTgb1&B)5RhAnVZrewj(+bIjm
z7*G5Xt~nKwE~EbS#EnzUVD014FaFnPNr6jRBZ(aY?{DHaBPqO%N^w2NIR)2@duoj_
z)z<*|<QI&QYIjK+%wbz+TrZibeQjDNH_X>GBmz__<E&Q_Uv`8eZL-c5prTtpXq_mM
z-P6s4N=;{!8RJwmVgfj~8Zk=?wR!ZGKAYZ(qUyM{0MCa=Ce-%rLp~HIdjmSB-{{a>
zCcegcq5MI062=+hY@Jq7l|^o^Ser3sNP-`GKsxlC{idlc3WVR4Xb?t^5;AT1!`bJJ
zVYb}i_UYryP1urI3V+0Sr&@0K@~dWDemnhQFXDG9RPFQk<QAaW+9c0Qky{o;4qh~X
z$8mzRF_TE5ez<RFa9-b^Y~Y<<<t4;=mG}6OY}RC`^t%IGu7ngDf-PBr1V6e<Gk{Rb
z?BaLCCXVDFxxOdsEfhK1whYb;DZ0_JYB5|rWbN1}(v|V@FDf<{w4{;6PN$&=UL-`G
zm;?4;uMy=0?f{^Zm<a-&E{i}wwyMkozqaI`)L3IPY`OHN#mwrdJbQ<ld<`D9OjjfH
z_TfnJzC|0mKBt6q{CJB%gd$-X0vlBNANgdyvQ*R$bSehF2WtfzwZ!m@Sd+J%2Th*$
zo_J`=-nPF;iSu?L4`Mb9&mg?xtV<{S`p7872pdHgBqxExc$O^Ug%svkCGGMl$7|R<
z!|699{J;GDN_O$k6MpztiH1&K=fdH%7e^oHMSzK0p@6|4n;p>1%9xVkM1Y|`+|*G-
z4oo7?TLylWr^Q*CU|69c_NaM;flR5iFU_w##EcK;Cyk0hQ=h35Df7?Wa-r{>(y9&J
za;E|GMk_${$(tl`|D3bryFhKQ^x0u#e9=bB94hA)GBqKF53+hPF4VwWp%CFweEIdl
z4{}1f^j@H6S$uscM+X<roXi(fYH>F&%bw^|aVr)?eMHsOazPMX%6Mw%c(@ID75v4M
z!{pmMp90eWqc&RwVkSS)z!MaI#hW%HTYcz2U_5ZPeze}K(wofByo@QY?%{hDcngHJ
zuVihMv`EdUNbgjY_QqnXx&%hr{0un|!$6oQYQZ>>W)JX>JtrB-PW;3R-uL*?sIZTR
zMK^}DPoij!+OS*Ys&6?jvI2{XPnOj>)~|oIXUP*8`n<g!;i32LHGK*Ud5R$i;7iCA
z83V6KRZs`Csnp~L7zyrAFi<}dE$CzXP20@dwg_8sES2GK@A49=Q|Gcwm<~BBG@%(o
zCL2aQX?<f5hM8iHYtqX_${aMPZ-~9791t8LA|d#2<41~0g0gYLSc~l{+n+0gjPFZ7
zmLTj{0*TGFt-F)fF@uW;#1Ohhn=O-t2Y_7|8Sq1F7q~Hd5jdIKGC!!Y7$_MGtqfU8
zNT1n;&|G4FqR<@L6If8{9K?q#M|E*yuu5D2O+Ow}LY{|khrn0>+a#>o)K8Cy-3l<)
zbgH+XIIA?d@Q$zbD=m<z(qWe8l*x=jvC}iZ2xo7zgZG@vI)b<fl7_o=U!miVMSuxR
zk0tJ((|9b!lkwj(vxI%Jra&<_d9o3R34?ge2LySr8NRA%K4nJp0+1ec7hQ7zPOt?a
zg!9i)!43sMEIO-(!WPH1V=>M)gvJ@a$m4~Sv{-es-{mk6(=RZp?HZgCv{ch03YzL{
zqVm$|V(uH<#4ulD@c>_Qq`~{VI-r8OUEa{`LZu;$MZ^8l>~o*b%1?&{Yl4#yCm2o`
z@NgDu1n;PLVLe>AFqFw7&1;$rcM_!R9$6BZ94G`Q15``v>y7Ya%IhJ~5W0D6TYtzT
z3r+}Aa$~MP<TK_UYMC|SVy;=W(k69(l096NI%j(Wii%q^`^7Ek;CpqvA%Tb5p+v4=
za^bV&VN__w+k}abOwcFI(;~zS4m{tAMDmOT=<Hk$lkE6ec{{nGL@=mYJix-tZ@x89
zH+W9*FNq)l*3Ea38VtYPo8A8zX7y7!U{SM>a=p_ZJ?-5=Ajl1W!bjQh@E3oAVsCxH
zR)I(5SB7-<V*#K0I~rf7)(<ph4j(%JfU&toH=>NnMvxtfy5M<_W#nrhJ)%d@=Y_Z$
z5a+T><O>N|8dc^rJf|0<1^@?cUmk4Odr_hP-1ef{z9}X-8EHGr0{ROqdW8|9j`7O?
zEkaTky*g5ImW3S5#c7WYs9@_F(NV9DGH@Te4{^qnUfFAjU@kapb3n?BcRGS8QEx6t
zcGkt-aH<jiZa@_-?)K2yx6Hl(>-IQ@eJ?>t66rK@#goB4!t$d%htYiMhVz6R@SP(J
zN=4Z0hF#S@oP&~-=xh^x4GJ=}&WiELI$g?BXlCv7Up=2>GzH-?KE()dh}jpVR|L~=
z?Z@RB<L5!>{(;{Qj)BpgY;LeHR<04;0E36!Hy?iR>3eOuHOjAuAnW)5R*oAi<4BH5
zwHuWLHX|OH9YEUdYp(xS6gij-42n$pc%%e#=4c3Mk}aO&eemxCuwZzezhG)eDFN4E
z)YQ~3KQF0nZJ^qjhah8KAm+Y|P(P5wHuF*Jw0R5DBJx|^`+&r-(C&%NlwVoo1ML<@
zYUBuQB>i|e7(+#NJ!Wdj{ti3g4Budx#G4V!dyjA<Vl0$x8KWBTwnv9>f_@7V!KY#F
zz>llPL!?Y?E#)Et)A<>mW-rCVxKipm!M+4^w`HMWL>r~!b&Il|iLs%#p-(gp#xt8%
zV@)e&jZ7elT7evC3AK={V+}&dJJ7O5NzH6!j{V~Bp3)pAEajGJx$IEwkP!)2!p{i5
zi|}{0G;s!g-8Xjbu0hUlqm1jf)nX@2kQ|WE2Qr7@A?UDf1e-<%QoGeOb?8!-8}|(%
zYPFHAQc$%o9^U^Ib~YQO?(F|at}2wJ(iZ7wD3nJ(QUpde0Z_o-VPk8CL@6h<hiAid
zYRd8;oG@B&BEa_;7KH|I>VEXSI8^tgj9Z<F>?ET%XU*Px$vJo642k=y35ar5VkW#H
zZNUY=ojt?3<Ezu<(CjEl=A>_1*~F_jIR+qmc{xQVLX8JvYA_o;p1}pd0bS$Q*A%JE
z<HKJV8-S}(-f$4R>bxYU*D(1Uo5Dk;T1pA)71Yq#PA`1q^>uRj89~r`6;hvNmr9cL
ze^?79OUHB~p2l0sw3vRVs(`yGjjd#5DGg419=}WNP)U^PkpvsOmh}3cSq8c-=*VQ=
z95YrlWJShr3~hK8TxQUz(TxPVhAh-)jO*eC>jAM!cA5s78(i6(p=}yl!O;vP&w%N9
zz3ec_TK5dg*<KRN`ie`0TZv-y(pN=m$VUZ1KCQ=$Wb28$A$m#uWEja2y!a|M4XTkC
zt9|5AI3}lAVTQt%h@G86--VgJ3}I)j`}|?x=cc3oy6%Zf@OuP-Kbkmkik>9MaCGdg
z*aNL$`3%$mPU9>#aN;@6S_r#i$yv~(8aqZ5MtY+Oz3D=e2E72mma#uPDyw;a@OkR#
z>Vgy1=L7W^cCwDWI6r6x%n-<4>{Lcn72#o>(Th}0Q^7$+rwSx9eNWkBw$o7&4~Tji
zs0NuT>Zz<L;dt}x{Lw?pyAGPLEWEUl6u>7xn{DU$&M=S(6=Li8Pv$n*_&>|4Mr<7!
z;qQ#}bvgo0Mb5E^$~VHU*k*K{D>inRi4#8MqGI3@x`?Rj0_!wBts|pE?efusa)_3K
z)Z{hSWpTWGbiE_6LsgosCg1!7aGXJ!y-pIH+hu>RAVcl(fVMWG6ohw<<<H>C)j*jt
zT8#}&8*%+Eh=s85(PeHsat4XFxzIx%N>MJ`Z8YyI3~(==6g+ce^5*c+R(kQk+iW(v
zqGMTh-i^@b@8ZtH^{a4V$%Uo@kzG}o6`#Ikmx*+2vDr0(HUb%c@mYl+w6)ZUQ9{c(
zAt0vtY~IKN`ABtf-8eic!{mXjCBP5ln{KE#?FPlauwQIuo1{xb1|QJz!5zG=L8M!j
zy#wfG^qW(?n3aCmV48b?;_4Nr4AxR*x{AjcEk~J9Z_I*4qv(d}!q>+`x=%|zljd*0
ztQK76s<l{6LittRJI+8M*ae5vLd0ui_-BPzjYjaIM&_91DGTc|ik2Ui#6Y3!JaV_&
z^*lv+s^akp&>(_sd=DSG)uz|m)EWB9X4+ev_~-(B$OS4Piw?#luZ=AAcqX3xT#4{h
zcfHgPA{~2)PY!%pzV_~1rAC{v52T=xGJ8AwKi5{dC)~s<ikw7=7X)<z&qPtNzar!2
zmR=+Hh|5k)&h|?f`5*|C7=X(L+PU`Wq6;Jq-bvEV%@$!E33`U`USZ0a-p0+eegQpY
z%`c*Ufb9HVLy75%&Vng@2OK}X+E)lcAPWbByb(7ytPmG->Te8BW9x1(6ZSvIbxX4F
zIUNr9M66ob=2$~IFord4PL{7!St&$y+e(ePVjh7+*@no&HW=2=(!jP8$_lp6r}LY$
zori_K)Z64VF}dplAF29PZn3SK&QIm<s=>(T)@U!9t@^e-hL~3t8V+q)`S!c9v~)_{
zNHaMe>J~Tym55%B)0-HQuJ+-5lJW<Fan<uUgY{wFf3Dv<Yh7A0zwf=ALvnN=zG}|h
z2E*#9ys1=gIp>$v3IL571Jjf2N;R~adkUD*w$sbdR<;`)t0i+3&Fxy>l@V91rfKl!
zIf7=>DY@>QRR`1ChUYrs2hg@{D9N@>Lh;FSYXna5o3ctvV*0G={3I7tF9Pu${6p3@
zRhpoF!Tg{T?I}dh4t|?BJT7C+#h-8;xv*|U^j|t2{PX!SjtSI{aig;aN|GWxHC-Iv
z!sS3m2<XXIN_YQ`fzWzXY_y-&=$ccPvbu2X&Kz9fv40o~pylA8FF#GfJ_u#1L0Kci
zcV{T1m=QC!ui@rnXz5^L^nY~PhfED#TNmz0WxrpuRgY#hMM*UJvldcRshW)7yr?BY
z>YNNMU}JZZvH)C<Sxy$tkh{jh-JcEA<1s`pmK;Q*%PbHL(OgZzraJA&Vp?FiQafYY
zD4iVP9n+E;{Z41B@7+lcp*2y5_amyQt7z!Tejjd41xDX%@Ntqrz*fTjiy)JA0{E5X
zS^TIMI%SDsl@{UgTUwV`PRG771X318Zt{<7aZ!Ua6#yu7!;Um}RyxPcL@gxjKs5Ps
z)X?7M{-gcoX_~cty^jcMr4!D3TRT%!0Zk6`SYGWKEB*xa(RF9q?$=>{t7+z^+O2vc
zdNpFp(pt`J7vTeTYDu;Jqe558j-d}v<b91jix>j*bIZSEpQo;_vi52b{hq_W9qD?p
zgfMi^S?0j=`ptT@{kqdM62Z25#0K*ixL5PLD`>5LW)()O*m*8(e5l4t4{^oR$I%&j
zXKS=Hgh$*e>UimwC!nz|1Km#kNlXC|q4<uV=ar@x8#^JnKgBEK4V!Z!bvG}V5T|5G
z665Tfpwv2tu@lvCDn{Gv6z;~BKmK8!C->U$zpM#`76`zsTqjJ!b;^eU%BMqSkkt$Y
zI4`^L=F~|+*q5BWAa<z3hRCaNV2*O_27UE~;%LPb^<eWc2IG}T2)vBQjJGY#!_k8`
z%wU7?jUC>)FjM7Yj1Y@$?7$`WrfG3F5}&120E5HjTa3c{X(tH-VxD;#5o_4Ma?M?6
zt}O7ktw_!#*y_N5W?1%R8j!m&poYNpK*u?Bsc8lZm)>Y6=YsExNc_j!rRoI>v0pn;
zwu7~4m88A*W%7)N0>jx!UIBG5BAgFsTn?whO12?8rR8N|-PH;{GPWd2$Vl`tXRiJ<
zsdatF!x4qD2Vu{Jr$gt$N~b2rr>v`8wFg*Y*h@NqqTLBsd1r8nJo-8>;revf$WtOa
zRElRngd9a=%Z9Y+!vB4vLwo+$Y03Lpz5W8C`#a=R4NPAc(o6i!b<mp2l}oGNn8I_+
zJB_7Gh)<&^Zn_YzurWGm%Mx5=J2}v@fX}k&VY(-7ZfMW`hXrBDNoV+Lo|@)GaXpax
zuoQpe&=CUjeoBxCs#5S#rNxTMEX^1HTiZY(E$%vdsL+G@PxOJq%PbSdYt5FwS{1tJ
z?~!}UzdZj&4tjJ|!y1`4kJrYvX_7`KCr54*IcMwq`Jr7&YrURIchdnsI4l|oV+D2r
zmPE;Nm4v0gTf!)r%PxwaO;buz(7*<Kq5e$h^DTHfE}KtuoMiIi|ID0aSFta`<wCrb
zAeT3h<PbzIWQkAgcruDsZnKWs!Z#4eg|b#Vc6bxw3$isFiJTXw<?fqF-+W;?145>$
zrTB~GdmxiBN1VJnK#mnG!=<Ilza!>;1#P#c^2&d4>Mu8w4_ysJ=dSH5ot^`KKJ`lL
zvpk2^?k%=Jec3`Meg558)cmO*>HtP%qo`YtoiLyU5S46Y%_u=5XsKj4Y0dg<`>km!
zb^;EJ7z`P_fQNNR72$p^Bu27aAO>cAL$cgb3c{{6_~K5RUYy$rD;zkU`CO6Ovi&L!
zsvKEy+Y1)_F5PUsE^2s}Ab|k<#ap*o`{?+lTu9Am!rB(dhxL++Mq?SDHSpuGFapa{
z5AYKvy!&iO%;^xv@PjSCBBEbLJ~DIlslzH?<Kpk`l<Ed02inpzEu(85mhd*lV3?H7
z<QNT|T_!w6=?hJ6{fY0<Va9aqLhatVU+$LSpNWHi%7?vO$2rnu=2e6h@0czJc`*Ou
z^d!XR)8=Nc^jIngduvW9=rrm_7{u$w*Y48pE;3VYPZEB+FWBVqW)CO;0TVu89HY$u
z8VoFj4V15~jZuD9Wye11UH>CJ{hZJBc*8Ze#|MO@g9H5aig<BQM*I`>QDA@L)zJ6r
z?q#kt_va%z<A?CqqTy2I-*8FmxBamt=Bn<rsW-0>xoxF&OwI@L*3Eh3hnCD4O~Jpr
z$K2@A>Dr#2(PM=@G2U(|u~eJddoC^yE{z4{LV{kIu7tNuG3OMV0|Ks-HC9CqDqO(X
zyzb0>CpMs+Qq-@{x5vev$B6Fe{9jR<O?}2k+cj$vgk0A`IoT$S0a5OGBR94Jdd=tH
zzfO)9DvjG;Y!|WZ3!sGj*o;<QhRmJ<W=}d9XxXh3U99MoIcb%(NgxLy`{?B5gCi~d
z2#@!J{rF=qT@Lv^Y8*3XK3yIU0ryV7r&Pbv`CozZ{DnR5-Rf^I+lJ@Y?63lV%%M_E
z#!s3*<Ib%+eSSR>Psttc`)q|BYNw&y>2W<OFC_Sdd}eQ6n8dSa5(T<}tJeWUn~;=!
zv-PGmoR-3?8T8vph3v~nB!WRy*oJYi3OD_V3~|ue;Ye8%h!{5C7%jl*;mcLkIr%*Q
zsC5D-;2A4FbJwzu55Fr`tA`w}icd?Z!t#pK&LvCT$U6%&CCags$Zj6I8ZXI2+{K;!
zGdYW=SE7izN2Zv5b>T>6>1ib6)1=bF*s|5hQ)#D<i;j+pxKN5$cva0$Exp$rV4>b_
zo=Z|-2+9a!@sypgy@=PJ6;%jh$H}wCl#h`fQa)k)i1L6aZO-Mg7h0?jJHGq~Hrlm#
zw?MR`2PkgHfW-7jfj#~n89z3s--Z9Y2=ywz(@g$mmp-&J=`%;*;R#fam2GIICK=ml
zM5L#%MM5a|(C#bV{EFSOHsJD*!UiwDatz*DI=!#?bqEu@K+L$qWx_v<VWkaO(4m&s
ztb!Y421yfLdSpNcOABcvGaFSHab&?KR3$tXc)K{py9DvE0j%<s7c$<iDc?WOorU_?
zw<$|~T(`ZlK@24itfHPiQq~V(#8%CwZ^6)K3&ZXvWpti+j2SiS1J~@>lf?s{`|j>D
zN!qqUfU+@LHJ?BJ3sLq+BKT)1BTY$xS&EvGdScQ%rdJUwMYJbcqY7)>sg(q3(rs7`
zu1Va?N`UmCEAW~rhtqm#`CGz1a%r3d>cj1)ae-09YFQt7VXqaam%5O&Kur5^ka>`$
z$;7&PrWxnPq?=%R-Qi?cdxdegYIXiEcVzw_x&uS^rpCI?-hYbuy@&C6f6R^deWVfC
zeY~K|MZCx$+X?YZJ%%yoN|?i(AmOI>yb`PX>+h?h6HsK_)M`5#+y?3yuNCY_W}O{J
z22>t4m4-7hWTj&nfeK-zFO!JY4rTezHH)qkXBXFeM@3Eb;IE~dnR5T-As9MAr(jmc
ziFTjx@l?WD1j8!h4Z>@13Lc}yh^=SQDsD<i^CgrfxbF=d6BoBco6^D*!5>oy=Rfci
zf9T_$0P1Tx!G>BMdyj-$6tMU8$vVbhho<o>dTS=_<>{08WuluiMDOXvfEP#z=f!R3
zmP%8`9HxQEont=7G$CA}I_~yCdDM>1J}|ruIdMP}Cs{C?Y&nNu>eDOQ9SU8AhqEI}
z_oalgl!p)n!OJ2n6o?N56-`LM2lC5+7`~hL14UO=@8zJRiT_A7{}Y&2hZ2GJGLMYs
zF5r2<PuIRXzZAjJ3zGWkpTy>XN?KKMI9XiAdXuf#fUqwJ$KeG^kIbc;hI<9WI8p&G
z>$JX1f~3U*S=e+d8CL3eh{R}TGRg$ZxH4x925sj3XpLmJ7r9YPhi4`zB@!)B#N?DT
zAU$o6sj|5B(I&q3N%rV-*3aHj1tFayx+@QkZnETzfOQ9hwK6j}3|3Jj%vYOYOoNz&
zZ|Z$dOS)xlDbi4QBL(5}C-S8%38<-JvIlXhMT!2Eu+liDY4f8^a9jcteLf5SDEztw
zRmX+@G<_d?s-R)bh;AcKh`s86A5Fp{p_+<UCI&SP;f%7_YLhzRAG$Z?#H5%j0KO;a
zDsW_pUTiHK7|dW#p$a`VCan+?Y6M7kEsi)?jNz<{D|UWrHC*6-L;t@J7okx%3~0fN
z2=r>n03!1415H^o6e9Y7gIZ&e8jWmSzk${*i9okr42_glrQo2tI4IDQ7j@&CwHA0I
zqAw{pB%Od$ZzIc3DsW(*!#Xo!7xIY^P6uB@mb+HSAXH01sXI<Q27|`}HRqg-T;Sm1
z?Y2@2I@N0ArnunU?QKNVx}Tb*BTj*{$Jk(%5w4EY+MlUJftu_48TzQAD$VA`HZwv=
z4_$pfE&tRVz+c#DQ<5MSIeAXm8@U#WyTp4~T|4!xV))EnY-}K&1Pvno73S}XZ+8vU
zg168z))JA=!R@&?s{yJ5;-{YZM6m2mRrMlr2~p`gr8@nygP!=%2UQI$i?2-!B3C@E
zp{Q9E&vWu2_UqGYuO#13u|HmS*KM>oxLTg!<24YzB_b|qF}$3n8#q6oa{*#bX{5m*
z)el6QRqHfXJu!jNo5)>Kd95Fqoy$;!YVQ(BZyb`a!)kA%2_Iw$6}FhCq@Nd2BA><Y
zw$nXcLX10^r%a{<o{{W`2C*3`mScoGKHlOvM~2tS&sDTh4U-|GQLj3%-hK>GnYo{u
z*q>dxrUg7F??U_h*yaY2&D4h@_}Y<d!{0?X2+GJd+Geq1?u;Wt*PD}KEhQp7V7U6a
zK)gLSXUP9i{~)<|q()@m6vF>6z}k&e1rG(WM={|4w-^Hq>|agB|Fi?p&nOA-V^IG;
z7y^Qg76vx~$wZ3)h($or(ZmG*4U2+-{fmzNPs5i0jYLxt{MX_D1N;6zXfUvCZ4jLi
zKB!k49>f?!3;1R9Z%6?G{_FCZgDPWW0UQ>f=NKN4U>qKR-wGrj`wtn12TlQsj+KCL
zw*dng+hTxDVre1f+`&Ly9=IUJI1~_bEFR#=6QmPI0jjV@0s&(Y!G}N@aS{M~U(jwG
z-T(0^2qhj1JQhS1F9<LJf-K|t0kVOh;&>rIbuj2x0v5<A7#=hcg95@zzyogtu_VZW
QcYyp7SfKkN|8xHT2L$Y}`v3p{

delta 13977
zcmZ9zb8se3&_5X4HaE7-jcwbu^~4+NiS1-#+qP{x8(a5%-@Cfs)y*F>UDH)FT|J+!
zo@x{ogEbX_)%id}-orZ%-T(p61OR)-18$V>fQ7F=dTQ1}C6Nyj5pb2lWA=*IaG<L@
zxd{o<2=!72+4gYi%|Blw`z3Dey3X5`<vH~^qq9@|Z0&Dt4Di>HP9oaN^YhImw#72q
z5|!qXKmJKLK{c?El?d2XWQ1QCFkhxGr+E&XF|{W#)$AbUVv@5ZRlgT8tN{u#^flV@
zv}@YT1}3nShM9#Y5SC<AVyR))x~Yz-=^F1yq(^B+b;H4>zbwu>ex+;$IjI=IK8h>Y
zIt$Y+%I?WbX<lwfX={TIWn-xca^-hul<r?Qm=MguJNZWQ+fVMF4hl6G)gg2BudJ(6
z$n&7vk=BB4Y$Xal5NlJ4Is!!N1mgS6rE12<(bakQ8xFqtwBID@e=rfWg<`^mbz(I{
zVRrcDyU4k8Z+7UdM2I{VmYwtgBPA1R1-6h_E(yxg4RJeQK>M*Q$etQsTb;g|ZPAw6
ztnH%gKLiM4{%TSKboA1B>S)C+W#2^&Hgz97;Hb9b_p6yMV9nrYU;s~}A?t`!lL+&g
zYVY}Zpwl~DO5Vx?>fem?I9nulnqO)MZXiwEYr!~&7}#c+^=filZsKJW<J7siXXts@
zg8(IJ1@%BVn2EU8e{Y*0pa3EwHST1+kkidqBvzIY#RTjzL1w#&XDqPzZ0(eLlxc&F
zF=zYTdW6}#&G5^%F+c=br}>&PpG~ta5zdaLQ}~DR#I4TBM>5@6+&|HP*_MBI&vhYH
zPV$YKcuXtbvq}$KgT^<NE?OL|&@!9{>I4%@E%8kgYo$f_3VSrlLcNTE&DI{o)|3x%
z{~&t&^*+STSfM94;g-nMf(lpW4Z+HCUK8>0IiqyKHziZ&qXC=X<W}p>LeJU1kPgC=
zya)cC7xh(VG*`?AxV@BdnnB9vHA}&CRH*?mGLIj7*N`5amwnW4_cQ)n*aT#e9$)qb
zBJi-x7<ecewBVZ)l$)7}&?Wulg)pI7$=$KjRXcv7FQ{lSp}!-5FPuPs<P&rX89QR1
zjCjX8-$vebKL-plY0hK9)dqCl&&7JXkV-u=;I@$xy2#7NzHf{*fQ#qa9p@xWBTz_^
z;*T{KrY?IR+U|LU<2TupI}vW4b=C{q>V$aB**=yF`tJYCe`ZY}Bk!sXvySR1a4Tpk
zU6VJQiKMHst6_resx}BPooOQ}xuGZHFxrH;`SjR&IXfJ9F<`tv8x%%aN@}$CdRbl~
zPMz2XALIF?+GxfSR<Nws5@BO^hWYR8K4v;$&`CZ!0&ezjx|qho{s8~LBR>o6D*j{Q
z_vK2TA_B@HOTKh-cYOM><B1zmh6o{PrvKo~=?^TgjV<wy6@PGn0QV^|fDzG1jfL<^
zU~q{aCpiT;ARvn&z#mFn01Km+y<K+lcH9OtO4tqE6Cv3yaL5@AhOBB$Ut_xkTOCjv
zdl=X(oxNcJs_y?1Cy$npK&utW9KN=joxwAH<zT3}L#L@TMk%?5oH&Y42|r)u`gr)U
zXcf$FZ>2gX!^tlRT{FM^`PI3uP=VdOzvU%t<rc>|(zHl2XE$gIsPJFEhx(VSvb@x%
z*o@>>$<44;&;eJ-EEkd)1w{y}>W=t3wZ!OCxxs!K-!+ulKpFh~NusHvZ21aLPkwo_
zg^)$NHBc*3COssCtkz=j)SVntUtQ^iXf)Z|7cviqaiPrl$Iz?-QdMPg;Z+zZE|Y0;
zHkdx&jzoV2fC)7U2s)@8K)MZ$+M$G{0;l8cAHz332Wh-kS*)gZd4y&HCTx{?i6x2i
zN5RfWyx>MkOdcok3;vRB(hCL5`)R<W*Hurbc1_KLDGE{IKt5!!%_;VKzS~{ncD#?!
z%^>{wh2t&JlILwr<fXnonBT|iL2(={@Q#orDpk0Rnia|lAUAk({-ENATK)0xzQ#*}
z`n~etUb{Em{uzA_XRu&zPGt5Zi(vsQip=}v%!^A^-ut5dPtd7;2PXmdgT-w`$5w}c
zsNG`E8s!8%D`_0=_4aysKrqWly2I1i(@fHo_z!NqojuY@N!=g&=0x|j?I&B3J}E*_
z6G@UpMJWt40D=BwpdfGfwPhJur#z(E6$}a=7?PrVM+FMXB?^i!>b^bMLL5jv`Oxc%
zMxbOiT!cR<7ZSuy^?!Sss2_)S=|ii?9G5sKzEH2HEd?fCm&DzW(LJeS@umcS&NDdj
zcYo@!i3l>2#;rRn75kX=K7@IEf51UNettmyXKD;afq(!6VH%%{u{9)RlT?zyBo*_e
zTCcK>V{u}h$(N?A8cvGE{VtBW-SJI`6r{A-UoMRn&LG*$A5)tP;WcWpS(!J|t(>Gu
zYF31A`sdUci@=q#zoXHkKB!6Op7NE@g-TpZ@BeEgRUm>~u9SOaABr9($~2m2N-{u4
z5k+!X5X%Cvy<f4SYMhy3;K_Thflj9MJ3Ftkm2wd#T_Ij}1ST1@p*s?XPfs7|b=BXy
z><>9KoY`q5hSW<bS~)G*)EA>tW5n55R77@w?`dyJ?eQH!CzfkvH9E_EwV9EfE7-^t
z8J?`ZlhG7oA@{~ER;dgn#{m4I0%Zd!+4vD*x9t%?ZZ$&+l-e^f8ZI#ljy-)GqrD0w
zXbPRFu?8p|5U3io13cFsf2V|fLqRR*Lf@UB{aFJof)ooJ@AG1Xw1bIgT)Yp$sV0h;
zKPX_nG*dygpq1mx7z=?>^UitMuR(pf@Cg77S}@2*NT|f9BXwf#d_4@Bq8|`0T|_Hy
zA+-Z6!*8GvuK&;BsGbGc%JBC5@rE}B6J|zwlx_D$kPuU&sr*Lt8G-dV<2UT((Sj+n
z%m0Z_Lbe?8vR9MHW^wLrPYHgA2Z;cKCyOXx)a7$q|9o+p!hH#;m=^Ju**<p6Kf+FC
zC$LjuuGn^+!vmBW{HVmMFR-uwk(UtB0#L#|r88R?PobnQQ2wKo??I#R{rgu&*UyeF
z4N{D{w>_oj+-2p5a14VNb84=!aCWy}tK!gFaBGY@1<+pRe{|_WM3$BGa#n+?hcQ=0
z+zFBldQX82mLbEQu8xf4{UjVz<)f7^@r2R^IS&LyMY;IY>%PoV>eG5cF=AzgqC{tw
zHZKH1ViT(^dlz&2B;w$#j*Z^y?l2Qq6B*G@{xZ@y{e5~^VQRdBw;lN(R5tJuUr^eW
zwtQc%BafzXhzx}Z%vqTk(b_<L{8L62j*)P%VFlBOs?xYqq<j>CUf8?<u3t+Yf!r?_
zydZ~oZ(22|Q<C@Z!VmLo!X}R}b<8OeIziZ_)u`G?L2z9!Et?#{o2W@Q<U{SNKnf#0
z^0sIrTf(W)dzdQtYoL*!{=#K7q)v45)nl!&BW<<9zsr|_F}H{=9H`jVXK4W((2YNF
zsQ>Ah7t#)zU@B=G{4E%8I&~2{rouxn=PpwjRLWY^qF}}^=0S1OC6JX}uUq4vH9mC4
z!@%5g5X4c>l42z4qXZwaE@E%IvTg?59A?erZN@v*z8)~my2tythh?|q5h09AGD}H3
z?Ourc_YNe)J5n;JYQ*)Fblv=jRY#Ymfk<UfzC>_O00hXXaUuf1u2l+`s!`iJ0iPM;
zEDwAM460ht1yjdQ)|X^V%#=Yq5`Zw!=M`E#vkj7N5fT3ntFVwUB^XGhvc$rvDmYSf
zkzmWB=ic@~8={GzsA~mKRwvC#Ae4wcM)*OjA{XswMVzQC9*6Lx98oALe6_-9j((Ws
z)foSwx&(}I2n65>`&eum^PkL$e*=+&LjLMPBy78v2>ZwY=#{QJFDm6BZQ$KYFj*j~
zV2pTuUD?3Q1FxDQab#(j>3O${sS`Yu*)MlkZE&m6Dl})y#cXmp5jEdYPfsu8Z5Tz5
zYUfFcw;doRV8#tgNJo-`C(+(d`a!|o7{!Cc?oDCUZU8FpD{?^_H0~vIEW$7UWah6S
zzUVkGqz!e)xU*?7+u(yj&M{qr>C3E`Cuw>S6Cb}f)g)}`#An3J(t@A2QwoU;x9@{U
zv?tkwd*mUjU<u@qb3yL23$-uDRbiWIsFHRX^Wc^=E+%AA!5`mhF!Tu5#%f(drE)}Z
zNi?Gjk^u>m-|Y6?QNAE!@Nlo6y3J;?`5pO6iY>zSC1d#!M;O~`b^dVq)xw7;fvmzc
zYJK_t8Rs{gaIPx5t-o#uM5eeufOr}q3amLrCFI~>_Z;W!JE(^fe9q|Ji^SZ8Wabp)
zfufH9Y)Und2P*w9v%GbSCNJ9Q>7&2AJXxShEr3=$UoOF;W5}xhPlz=d=`Yy(&;$)%
z$cj}y0VgIUUE2F!nN08w`*5NQX;~mL-8yKf)aYiSkl&mT!}I13APLnTI8qjF^h(vh
zPmfZtuTBNx-JiA7AJG5Tm2~M?JK~RHe$s^p9&I*$2xdP)`A_}Ysp68z247<Wj1UN*
zHKNfZBzL<c{N&<|r%D{a6wv#S{zfs+QuX_atMK{Kcdgf7j$X9a7Sc`IUsm2@0?d7$
zt=C?rVMl*2&jY+lGGfAkOCpI$TdI#LO6uyYRMp~`Yk+tIzn|^#V{h#|#?)RrN+HAE
zb6e*}yDt~N&ZkQv#~mil)3Ry6ab*$k`q}T{emFXwSV+)OkmKu5!w#ch%F~1SdXJT0
zPOSp=_OVI(8e``5!SD60?`Z7y?7SMrbNL$dl4Tby0wJOG+?*W|hi;e}%2_o^^++)h
z2!(OUye8NNtY!V9y!i@P9TFjujV`OWw909ZdHb``WoIqUvb4kKkGT>+bSfm}_@-VW
zoPz4Db^_<hGOb0eS9(|t)!eah{(}hTZy~P>?Ne#@2CA|v;hC4%{RXX-wvSg#AgL2J
z&1fb#zzIWrL>hvDTSZDEK=9Ebn0VAFV$N1zY#}AJsU>NtkI?&&1J<|;Gv~b8=HFqh
zUye!+0gENVExw`%g@OiPAADIZeQ3z;^BO{E<^bijx<yZ#yxca5V%U##*GDmyE>nAZ
zqu~7J@P&R%W<4`TgIb4b<P#OsMytreo8cAwl_$#&gka=Qu&<auj8%tETMF|sfkRK#
zc0)9lU4L_ZrrEA7enUf9jo%WD1-dEoEYYmKFk%<?)CDPcRw4)R0c%6huUYh5!Bluo
zfw@BJ*lCep3LUUbx7m^d?B0sxsBA-;f)!Q5{d<Hdj!NMpAD1DWCotJq4#~SOuj!^J
zd>us}-kPKpJwh*5i~1BGJb*ld<X_pnqFMiKYRI`=>EQ0MQ#Fa4wS50Fz5Yh5Fj?pC
zz8ndl8oUvU6><f9;q-nlBs$K%?Rueq4hzEUJe(pJ9{#lXT=_Wr-DmM@Zt;7v5@<DS
zv1L(H1?`ihQ&{pyX0RDrj~3TlfBr3~-pR(h|5xeCkakSb-EGBkV9?ub2p5yV;z}#S
zN{$)}FC31if(1FC{4z7kMZ%H;V#*<exZ4?xRh0hSyp{{7Vr+R_wD6p$s91<3O^Cp!
zNg0`{1tV=)C{9nhbrwumG?*oxhNJ8r>C9~oaAJQX!aQRs&87?XS?3I~)86HKuzvs$
zL)>idKLBb^-`hV=`Js<|<lFDlqqJq4v?F2d#VMTas(kWS;oK^889hmS)ENFOchIRZ
zbUq!wJ>LK>E!ws1JhdP-J51Dnsai9mQm~9y@&aRImNuA^WdyQpTzHpXi@fIvS0W3)
ze#BAb7zWq$`7gZaHxOnLnd3?tcFg{{$~{Pxu>}cbg32fGt`<<ghj$!^7;hxX;r+En
z>A73L+Q;oAHX;`fbDJAtMWNdV<<m$_s>!*V;=2Yc@n7*l{LBwog6Xm_%bjqa#X`9%
zZ>XsLA~z1~K#&;k-~ChFzrtS0?@iUmp%RDDJUP_Gd?p#G>D{9}Va;@^SinbOI+%~4
z<$MZBvn|b>QvgXeN`T&7AN$q9VD+D7j`wxv3})4ln@B8el@_US&kRz)+V6BVSTd94
zT1EiVmYZt%cV)NTBM8+=co4OO3HEzFOPu5>mp&}iJDB<&jj?QF>C6pFfg39+`6xvc
zw|x`Re`$wLv@5#UGV?@Vi_cS-kZk(g0|g>P?P&z+LS9(rbp-uP2U?MXUs{JQjY1t~
zPvg{Fe`TT%q^XowY87#COTnoZ2thzeW2gZTF;mzky$zBk{+8mWj5t;>3O}KpWRayw
z5@G`TvlTKCxKrm>coUEP66H>tyx>qDJ07div)_q)qzZnAPzYP$n5Hj;Sua*N%GEv#
z-+rf_5YTTvza44L9=|kJqZtk0Rq2Z?#_gzvTZ5ej;pV6f%P$Sg5^t(a#KGNFHpT)x
zOT9oDuf9Mu^qMGl5reg;iZA$%p#a;PJsGrH(EYx?uZc}BuAXs-gj<`Tt}gkad-f<s
zx&20JnIWc7gd&kA41+X-81WXv=wL(m+Xr5F5#Av-mrw-wjf7P~<MNw#9<O#Hex0V9
z;Qg&AY#)C2m8bs*@SFG#DF@9k5NrVJG?JwKY){(lc<yOo*_LP*am&6WgKlJ3yPVUV
zHtTt{Sd-Ur<C9(<s5`vNBJng948wS8*wZ3qAO*8a0+wIVLIM<M2g01^mO@|GK6eG{
zSQA3sMR}T&tRcKM{|LJtWqxZiw_O<Ii$SQWGvv6pWTtU?p3Dbz&6`|<WRL@_>&zcZ
z`;U~!k~&sww0$&_X<n8^r}t$o2qVSgzUglfDQl_p`_mN28jMbs2XbaUt?HS3hi~=i
zI%hbSWOhYMf_w)o9@X56e1#BNo>n`I2h3ucMZM@*QEb?0O31>PHyG8UG+1wOS$YYS
zR7b`6!?^g?xffx;N5kTiLB0U6jHbwI1hg;}(GRvV%t3_x`b|yY7j!!@6bS7dBV^;S
z=GFVCx|wf@-1?*ZnVhqu-7qU`t3i@a68#ih0=V2OMOut#xiob4t&Pb+S+?R*L-wK#
zK_3aLtO*GQ(&<JuEf1*$nNdD>R!}@YusvFofDWsbuMX{Ohcl+*`#iw(@OhkLQa1-e
zDXI04*Doj7q)C^GW_DIwqCh}E7JH6OQKU<R{|NTp{%9TzcKW>K3wRECD_mhN2(JlT
z(Jc2R_>kM}IK<?wKhX{Q+`Vx02+fY?bc3U2@4r_{cY8AkjZsNuEF<OiiD2(o-8zhH
zOzGLh@V|~^d7}7D%D(~DECL(->^MQpiaN_JLq0)F26C1)0&~*hD<mAH5~nEiL8L3f
z1Q`;dmbSQ@Vq0r(T}rCb?3vVt@+yPky=x1n1rOw@qu%WqgnS%V6Pf!D1<fQ>UV#bl
zD8JPOJdhc0TOU@EGiM0jFeInlvZD<!(;*2J);ZTKScd<y7rp@eSB(?fOtD@u5Ec<~
zz!p(g*mZoFwWNzA`LIXCx4=udS|ahY+})6JPY!!|1UGy1t6T9aRx8<jx`zgcN512L
zsV?R9>}4CIf99#@Xx7q6%109Ru=zNck|eQQ;9qDIHZXlR&}(XwP{EMuqzD2iWal0W
zpCL+XE;e|{w>|;?jNLRG_XT~>W;~BB^}a{%O;q1|Q>HJ#;+`puH-A<it`F?)U^Q_x
zCO=R;2f{auv1man(RV0(^ao@e+RfCJq%z*Ri0rR6<8LvzA~Qxz^ati@`ttUC3Y=lr
z=jU|R7#1QWuIUAuk@&SxK(6?M1f-jgO8O<7^oKNLpkDxiup>8aUEs3=2|L3%@;YPM
zjYg4tQ=Tb%Aw{Z^12Zz28ztEXelqcNf3rX;%W$X-7rC93Ar1PuYufP;&0zy9$?o~A
z<Bf5u<sW`2?zD^EVSs}o%(}AR+#`Z7GI3vHsl{_U7Kn*}H1BHf+Xm^uBupcv*^YFL
z9kS{HQw0GXX13^S;Fvu2ix+*iB?8<kPAb+AsVW2C;L$8dPZ73sGb9JJR#FXb+GAxV
za)eT%;fr@<OZVwJDNldIHNW*T7q7>^mYzvrH8oAMM@zs*Ri+A_oz5vc;8yMG)&q>5
zc#qwSpadamJNsicwI&z#dsa+*+kaovS~$PSpf&*T{J~q5$I3Pms~Un4kPI@tr}=zn
zTbI2^-n_uy<QwhcCbhNy$%z$<#Ws`G^uluN3{{M762j7rP1T81ijBGS2*tl&VBH2C
z9U$(l3e?REap{<cMsW<o3?OuB0Zp}{OiL&m#=&9^gPdK;><O&MOhOT>UBT;(yLiJV
zZSw(Tko6Gl7~RJ?*R?Mgi_y5Ca^$~r#6XF_7-K0MncH%V^H;l#s246rUQB%UZwW?U
zO0|iZQnM^IU$o=a9_~PD{-x{vbm`~x;sHeeHC0}FxIZ5+OIyD;5E&Nu{8@%uI(vs?
z<cPcZsIg<3$*W$05B;<W@8#u%P6<BQP>4rei%laj^wX;btY;@Te0>8z8uuxshyXn_
zyjvC+ARx`EARzxOAYOJ%u2#k_=4PsHF4hi~uKyFBJkr~C*_24_*{$&Z!?+!zZ!Xh9
z71@ZpshUi^ULnQ0ntUzO@>~eZE-gk9m=8L>v^do`1)TO&;Q9t__)DEzy^+ODHU~KU
z@jGQV`1!iz#b~8n79r^7@p66zd<vJ3MSqd#^zgj8`E$PC37^SH^dKBcb@QxI``^B_
z{=5;_HqSteNW4$?(@rMk#l<zXs@VQTJ`@x8YKT~Dp1QT{;9rogD6Z9%F~7V$JAOD7
zBB(Y;A%tO?DY}~Ouhe8h5+j1_J-rzEyua@xM%w9F>EB#k->hHhXVs|$P@}UUH%3#X
z-Q@NNPVDpu7Gm=<>5n(t2<4WGqd?*+(7Y2FIws8|0QD^I-p{y^2k0X@&~2Cy(K745
z&fMyi3|79M^b@*gPYXTL8%eI{d3%UIj3lwPD%JEL=H-1eAE;H&b>4!el3#H~bKEIu
zVGm>55W3h`?#R%&JEHsma?o)RK;{|$1OXk0N&Xc7O(81Y{qbuM@eMxSdLRvh8BUa4
z$<Xo9m6%mZkb~@(+}V~c?BCWKntr5^F=PjDp)^v7veuw7W-V`TJTv?aH_C2=2N8m>
z_sk({N-XOx&Pnt7wum$nf^jDxWG<GcvriHF`O_Gf@|mAAreztx5IpA`$#J$;LDCJ%
zwaJ<QYNym>Yu~YB^09lIF?Y;Y`~IC-MO(6TI=d)dX4L!Q@BFWX$r=LI&U0l9TLQf)
z`fW&R)}C3_FvIlJ99M%{Fa|V1LTA}mdfrU!H562agRlf?Fy6YcHE-2UmY4|Xj(=ts
z@KP4_KxP9`%DyT<^Mr~CtN}2QkiV~L(7*!YS9#pum;ESocLE$2ym4=sySM@}XSn_F
zp;Y!36CW_Xl7%?$hL}1g!ojhc71rx=F5N8U)h)f>m2eg<r+t)gv6z2@|1Pfu?~}1{
zkxWBiO9d@(FOg|c6_EMLP*Fe8sT*{S)Cx9g{l+t5P1$t?47t1<JX6q=zn=<?L0fTy
zdXposzDw<xZoIuK)kTaejaJPyp*Gg9Xd}#9NoV}gCIv3HBMmb-GxEd46C34exAlu1
zVUkoP>|YF9f=M_qkhiOmfuQO@^!0<|dc(ObXu(L3^+AC1Uqu{nzl2<6>;Y^}4l~jr
zG9d<UQnv2^S8LK5(CeL>N?PsgY+C1Lu0L-LMUNpjN&7vB3o%tUIzA-uYflht{1mA9
zWxUD;buc988?VN{t)8bQ*=NvMpB@&N(CFaMNnhVoVM4q5o4_X&7ZS%XzB?tuVmR#P
zx~C%z-T^&TkIRv$*fuoXu{e?TX6~(60($joJ?v@#2{m$Kb)(i7)0NYHYbacg@l0jQ
zwW~WE59&STWkoWr2t)#`(9k&XI10tozmF*eJ%IxY@lH@{NX6H<-Hc?A?PSoPT#d%g
zs)lTs%0@Cmz)xi_P;Yw0Khh@=@V9KZtep}0FQ}13Q4dntdfE8!&e*2~Oeg7w23s}F
zBb#*qSGd&FLS4o4fZm5U7fxTlbKH|GTRD*E#itjH-B<w#2MmV9@b*7q<_MNKay*Eg
zPE$o}Vz;)L^{ilV`>FdrfGv}35e75rV2Kt33D=2kwas!}+%^o>$-=e21ni7By_~t7
z#-$Pk9qI*rfIW^6hBgXXq$@LFB48$xhXo#BBBr7Gd8amR<T@`(Grn#ZCLr0o<V(d^
z6D7$7f#I=YF85bhxGyd{W|ZX`TgDI@3r8=oW`<i=j<08~$3*V;zU2hP5!xGx%ETu3
zlzh_|DSS1yuQRn-_}b6N>m?yPaTHq=s0l=mh*^Wu)g`W97E*&k@xcd6gQ_6r&b=w1
z))tmA5s8V@o>o5~Jv;A<weXM+cKA@q9od<?BF4Y>K9*#*h}95J?lL@w!$c;7T#}O~
z=#e{%3V&ZDMFp2ElEY@4M;MnKxtMucslV74=E`Utx(Lz^r1S^s;5EVjG0Tr$W5G<(
zez#@zkDU{-McxO-tR*2!PWhOZDl!xx`wqF-MOsjjmTIQVUSo+(R8A`6xBpfX4)o7>
z0+_Ek(ol4MovfN&{@~qWrJ;mH!-Lt?hf%k!VCywI(xYe_cvc9=P<m5Jm$(#3O-#ve
z7z@`*PmF0^ls_|uR0+RkgCV(VBOdIW9EM~XJxxjmLLZ0mNI*-p>HBb`*AO`Y<F2?r
zOC@yka|EaGNjUT#CEHtzg6vKt*2mW;%=6x&pjuS%`TUb}rm#k^sF_E%Vq{mHzmxWc
zLAp61&x(c_%7WNoFzhVC>}#@<VkIRkvCBvz4u)os_UaINM6kq>YP5@a$3%=e>9<6l
zE6sE5h&FXBsH6BTCa$a%dSH0~ggAadhv@SGkYHPg31dBhCs;pZGNi%KQ6x1?79<-t
zJZK&=+z3!CS^6MG7IDs4VA_9`ibbUq$eFg8n<feZXcHmboMtW$fi2Vsr>6*Z9IDTx
zjqIeij{G^f2J#Zz12B9<JSOtH5ok#CbO<`aT1#L!R@QfZ;Oc$P*b#&PtxKzOyC$g8
z<i?$9Fr&^WXO><bnjoR<Z<Z;D+C?oiVI)(^4KY_hP?0vxO?aS0I3CX35zd@uAP4zj
zr&gyi8#i<H^SmR$Y#9s$EN}=mhr5kxS#JxG2SeOLU;!RvD|=vwra+Zbj}|v%YbmK-
zv+A-!Ow2@6Jqy=k^4B&1gwl4A*u(IbI7Yp4tsO;B0q|?7dyt3pg+IltOOP9snp-qr
zrj76SAE!Xhv<UJ&@tfM(GPXVbyrx3?`#kP+C|qh)a7WZqtwvsGVoV<JR3HXpAg;kD
z>}#(aSb`f!Vsb{6Hbi5jD2`}*!5ya}wG5JQdBR~l^RX4-Yd{1bI5>EAH2{wa_GkbD
zo&5k=?59Zm79YVqUbN2qJl4b_d}jr+mkMV|dS&C&H3{J~Ge|y>elHlt)=UWl*zlD-
zs}9!@MBc(q(uK0jm<+mU`HM4CB&VHz!p4sr+Z5p*%$wR+Ban_-RRl?k6Iv6%`tAMP
zwDr3eop4uc;2${P6WPw63YP$8noPtY(PihShxwILxRzCOr*ztbKs5{s9iOB-r$5H8
zBtbg$s~v(%39P6pN5mhUQl;&8g-E=#z~*}~%@~DLj2m=^;Q_@L$V<%t&a-azHsUI!
z*GQ1kzXAX5LOm!_Xk*k+9(Jv{#C=WzRV=Xr*OcXL7HMz*Jfmgb0LOR@_jn0o-V1aT
z`EQAJ%#&IZLUrD8I5Y>`<4k5xm0}2Ch%0jL4ph2~8f>25#5OrfBG7x(b}VS%L%QXF
za2BK5q`NPj5C--6rI0>4DjS}H{hzc0H<rlA=Te_gI}JLrC&DgtF!ZGx)eFvYO@6k%
zycmAA-uWc}NzvX881e1x9u5V3G9+DvQQrjzIu!ah7D;P!j?x4P=AFJ-BlZIt)WF|I
z;e}l!QQOX-%+b2s!a8+j1m68yPbm}QG|^@V#5T3~cjeVQIg@%*u@psMGun2Fy>h*F
zO>rUES#Dx24^Lj?4YDCo4~P&A?=cwZ;{+EZl$sDgwK!`<W+SxMNxAu0E%b=-qzB!8
zRZgy&0G$z2Vbq4!(HzA^J3V-jXmw&{dI-0CdIw6%3-|AjcR1K0nwrUUtCr_QO1~S2
zI>1X7ss2|x&_*ad8tGy?r!&TmE<DXe88%u;jq<`?%z8|QLd6Vvk>4bu#FHohG>7Ht
z-**H6#Q*0<G*CenieD+>+2WBHor?CL9v`6`JERd+G+wS^9=rFS%<r|kOte7NxOpj(
zsF*<=7{&kcU7>10At`~*q>^Bk-^{+C@ULr>rZ-~d(I$?^Lp^<HGAh>4F3o|iiHGaA
zWpF@-h`mPf92p)u(jof<iE2YAxujCAAbx1Tre{<Y4-@4Ao0Gbvm%W6t;e-~Mjnv{T
zGnVe3PH7aAM>Pz(tB<9g!(vZls$l~hhut?LCsdO9>XJSS7Y_6ne=VbKpFOEVFx>pT
zpcBS%4fk4(HQHZkPpo0#U{NhNWG%iest6A8i2^PeIFV^MGk!`^TU+xe?#~*5$f!{O
z?Hq?;sCOUseah;<{V0cC<%extgiZeMjg?Rx-lJWW8}NJ`pwe<hTh3BMhmT|_GHPPA
z^O}^-#A6Zsq^n%0!%6`~)D{ictqVQJ1d)^tD&mb+1jHe}rH0gOij{j?><v}KfuK<%
zTR1J%s1KU2H<j9lYx#8&9a~%u1#uG~cj_l}YE~EvYZ*G!xMI35Fgh-iG;&X2OaV%N
zHfNl4aW{wN2eIoWFd((6ad!}ato<U@Jc`{5_N$;~X22-Iljrsp16LNn<}_`y3mKTw
zCTxAlkzGnpvlNB*#kQiGWUL^Xj2ENa;?CaN?pOU2BU{z7AHT>69=^Oee-Q$p(Ushh
zxP>;}AoNe(|585hq3N~Z3Vg&Wo$pv@M06i|zPK73MNbZ83?Sr)JTF!g_fGOMM!e^;
z1gplM?bY!==)hO~Nrds%DM}D1B$tQ|)>f2<757#xV%WqeU*~#0oA_N;ZPjM++nQ?i
zCE7YEZt8}`D{5n8Cj2Y+IWiaU;CyX%Njg3Qy6JjTe|BE>ilU#B*Y*$;#aJrnaM1wY
zceiA6t^TwgN5hUtwka8jplSPTg-!EV66y)ltevV+xq|)LxDheCL^X$hu}YtDj&W*=
zD`(*Pl;^w6!ef2%3<)JC>8M<;6h1L$lGi2gS-0gO-e6AKW_+m8gB}X-;6rCnEtfU6
zs}6U#W~5LhYYOv)Tj|vLDI0%#vZ|m=^oS3gbSR`;bnK0(jZ+XJ^3OGhq-c6naCpYZ
zs%FDL?CnJ6AQkuO%_s|Ubl+@#{t(}H(6|nt#NEL9SKe@cH2HdEt!N(3(zOxjd9r11
z%)T0qV>cxB?_rHLR)hcmo&M*mr}Kjh`-6upu2(^+Xfn|;g-|h~53_{$>4FeDDtrUH
zg)Uus{8=YV{R1A3{4OVw*7=L!XT$pFTz$l$6L~nH`Xsx8RG$qd$JT|7*up$J(v~0x
zo`?P}$Aavh!J<v%{(J-2BQoi2v4Il<wQ0%DFwEGt52aPUNhl7`-Sc#6CVTYdotG{b
zG7N~ad1$Zia+=EZm;}-CSBTkWs?nQYmTFCUrow12QmhOh%G<L}SQ{K}$~>Cf<PKE7
z;n+OUd%~BO4;>La?UeS*S(L~lC|6M(%*<5q7IAnzfGc2VP+n!#x#!1NNsVe;bgBGv
z0H%e^rQjr8-iZi!^p$3-?Uop(W`iPy4X@Uh?x0ogM3Ice#6VlMX3if8cYy5Pw$g_$
zZhv%0WI<vWOL^c>wh^nUYv7?(vr4)4a!#t5Jm$?h5G)ZK^q(-P0>(Ur@;6|usJBkK
z1U4g7IyXyg%IaM0wB+XFyU&G5>dn&6H7cmR2&t-CyzK(=qH3CgChLX~z!2HybFr<n
zOr<OBn-hf3jbd@3Ym%2Z|B3BE=Z=u-d~s)BK^{YoO^4v_8nmFae$!&_?C4Uy@U0CV
z_;8UD^V;f`OPl;X$hN)M2164l2teA(V5s3o@UUwH(B|2A6gKy_=<uO*c!qr6FElk*
z_WWH%`;-MRNjlFrGhkWu@9nf`RgLv{Vso@|lwY=P7zzO^>laC!XSF?uHVNrikh0=n
z4?^%SNesEtmGmfY90Ms3(2s+ksr`YT%FLS%l1FaZ@t;$8X_P_jN_irpL1GiFKeC%P
z+Mvkdj>%7FBw#P?uB{_k_2(p@^y8jEd67W1yJZ0AYdsBXiCx&r3&lnaYzQAuZ*gCk
z!_3|@)D|^#_u)7r<BY?-07{_9hCqUU>(NW_8P_I(m~RctToG(mfJB<WXCD4TJG0v*
zQUx+PLa5KOg|)e-=!(4rO$~UNlQS}{niL$=%%)U9YuT(XNh(FK<>DHak9Mu&XOK2L
zfdgRnoQO``ZH?zQyqz=ts-xY8;x6R55eVVnV*(FBi-$V<=hA^b{QVWw7!gqm@0H!`
z=U@h++i^PiY9?D%nLp#05iB^e+3xTQ$@_w1no0cI+2qran<T!efDN5ZtzV0+jj|*(
zrZ}mY)LfR@e<4G2)uijDrs2H)+~2B7ZtMX4Pf+xV7r8k3vaW5YR^JfjVSSXe$@wP}
z$xRo;rQg@nDJL9XXh^t!#x~@&)E{MfC1=vAHySnbrdiZ!1(#p%z4V^7vYgLS4{`Tb
zrjwp!xxO^xuQM&mH>s?i1z-f-`u>Chh&fVS(>k|h9XcKP<#=Rim$EP?#y-bE;IaTP
z_0@`6vlMT9=wCcVC7yTwF@jh(9juqk!*k+O&^ZkjOtHg%1-JJY0lMW{cF%XzS}%X&
z8^rlY2e&${`Ur{K$Ja_&J`2k3vv3$4u`yh|TU(w+Rkp*|Rxw)dIv+HDd0g7dgV<Is
z2lx*)%NSQxt9?I5T(S@JZ0NX4Z*~LpB3GA5II&dtg~5%G^Vy@F%bKp>xZGLZi%~bu
z<ai)aQ*!zx&*Kqx(B0d_Qd0d)o%;{ZcSB1f@yMs!oFkaXjM3OCp1g5lgOZorp-n>v
z<aHl+ZZC%ErLufH**@2C^*(qtk||aCVFPBaM&gx!$osMzAPC@^eNlp>#dZOn<WgA8
z3VmH>8`!U(#GgIgOUCc5=M6O!G#<n!pG!ml1;f)uXo-uc_Eta4vU-MBL$>^jm($Xg
z`%6|gaBg+kji~Mjf)O+n){c~U_LPG<e|wQ$tgF%EW(oWOkXPAXj1(4z!cMIS1MR)9
zmk-0Aqr})nr|>tu61!iw7o-0b(G?iPe7_&OO{RTUV(-xX_(E&O*Paj2_)8?%EVhL8
z9FRw2eYzQS8fNW27Dy=T4VgJXdeYwtVXDlK@cgNrkVI$r*9P&5gyO#({bz52rRUXB
zR2@AGn4Zklc<nx~Qn~gum}TB3Z}ZFMOkM9pm?5x-CIUI$EnQVfV~vvmlUm_TmBn=Z
zWooiHC#O3`?p5!m=)N(4cvpYT_oSN`t4lCf?Jyo>uImf?e=8~Btgo~@#GybyYFL3U
z+S&jbZaREK7lReL*{SXI_LnVJg&wa@i*|0GFnz<;>AO(H^&^<9wbG6ZV#NTzH-xLB
za$-N=XQBPAS3`fm{p<WFvHu-7<EOCDMeT(;K&*)U>+Z+~M<Z|A!oO>v<fiNz4!;Aq
z>2MC+adpy|65spAGXr62v9e8QdVi*9N(9I$Ih6KHZObO;-m0>?01$Ugx5s&Hj69)b
z?dS4XXtJxcmS^o+DeX=>x8b&wiT4J4`CRP2iy@nq@0xJgJEgz1R(dFpPJh%|maW<C
znGl|Fe(E7>Ui$>zyuUr#Xfb}{Jc(yn^(*cotZ@XeWcZV?`?QFMQOc_z*+Wi9Kmust
zLj%)Eyuu<QmF}u)5B;+1;z#TCYyAG~KH5M0HLMXdG$M*??OXzoDGH*_p565Pkum)F
zs{fV=nTyreaH1)V5!^J?Q`}sBsQj@q;3Zyt5VXq+qcP6AEG4qxZK$p5ec<fGF^ft0
zL!u9YSrv#<4ZdVRmF9}6$8oTnS_9Zh$m2{-AR8D5Ml(r<QhFJerAme<h(XVoL%}se
zVK;(cg{jfdX65i*{oOW)Ok4g|yq<ZuM=jH+7<gV6n-N!m;T4maPm#Qpa~5Vwl4U8C
z*}i%hYyhGi6ED}U^vLGaVhi|1XXSnRu*7h;SI}~)Flr;MSQup}G_a<GCCDd+9LYtf
z-D#C%Eqv5XGmss09!pSQ2ucfM@syvjy^7Ue6jum`Nm6Ev938oEJ!5D_dw`cU=W*E!
zE!F=yz5Wa}+PCm!f#SphrTS+F%+MnRFbVTbS2~>flh}O{8<l_kIw3<@{(61gzVml}
zzk=nr&eDswew5*>6UD8r76Xe;_EkT^3x<WDDvk_gC`6=>mzFCbHMK;CXVe`VM`iU;
z)2<c=m4?bQH=@yY)iUdvgk!w^MqgBT=%|nU3uE>ffBMu_Y4`@Z|JVut8WvFrU~$*L
z0*$#@(zaI{A;Bg6eHd9Z4;Ksvs)hErZ&ldtokOf)Y1Uu&YL;^W8eq2~P)c0qxVqH#
zq6j1D--~x){`H(0Ot1)tGOLa8<WYX2kQN=Ih^1TFoG}Q$i$c*=VkdcJ)(@)DaUg>S
zI#14VHAULCM}T6pRJBkr5g^wH7>tH_Q!r4G6CbB9>!YTiDWSWSvX;TQ`DIaLM)X@Q
zf-L<9IRzIDbY?ZEDaiGPDVNiFc?Hp$09g}M43)O;%ec@ea=pC&S5co8un)x}Gy=&y
z1$_`@v~I8j^uSjBbl8t4yLEeRu(3veK)X@h(Me9>phP`Qz(zxyz2uK2Ala;6;JiBU
z?i0I>#G13oaYQ&jSoxEIJwLUxU#d`Dz;0wni}8J)S2hMm_);cmWrBhGkR8TYkD`#2
zb2mPst?AG^$J+t!c>N7Wp@1E8WJ4-j^nMf1N{ZP$=~>=pYyfrRuM+pjNPgf#ru;v5
zlBYRvcuI81WNCFXbqM=k04~z|gk6>=XmWQ??S9fWV9qIF5pC201}<GUhXKyP825E!
zAp_C|1uKZt!DE<mb|ni+EewpCP(`<{kYb`9{Ui%$>Ppx(?qEf5XRWT6Q_wb@i=TgN
z0E=F1KeX?4w+3Nz;F|tkT?xm#kXGB_xEt@sWOuK@gLQcp^4pLMpfOTA*~%+H4X>D_
zFNqx%mIgg(JT+5PhWNdYv;IGmZRfDPUZ-qX?7F$OMm{oz_n<O6cbz~&+w4FulrvHn
z4`u=-9i-5h+GN@L2QU)w-WYOd#53^dIlojk6Sl_O%_2x%GV6fJIODxHOy~#t0mvv5
zG2_dfG4wT=(WBJ?DX=ZFW0(%RhH$wgRiQYv3@qAeP@_hH3ti(}F5`T6mptp)idg|o
zpXxg6#v_`=JFHHdX=w&(F8pw~q<^C91{dIJN9N8ej6DA_%<;$;$Hg29i&>i$FQ$)K
zPLWbH0BBT@`_v(R#jwa(n{9+<#T^>u95d3j`PIhVOq=)6KXjS$%Bp961aHWUigWJq
zlb1sL9Yt6&{I9M72jYUa`GYHM{7Ui1{Qk`Ie?3BDj8P9X5W<THXl2FFsOVJ&3e>P>
zXe9U10tHgWBQ+-4xFP~&tcZYQUJSq#t9~GH0wnOmo4P2(8nn^ZmlPBNF_%-YG2f30
z6d>=o$&ApAyar%)^E9J)5DXoHY$+&n$4S7z_gSRooVSq;9$LEV&9kFYXu#@>^gB8{
zL{H=TQ#zB&B6fHc6{+3N+O*eHzlqtoyLCdWjU}yJZDZ*?%o}r6>hoa%YY+_oO3oc0
zgfK$SvQFJ!yB0SlJ41d|r|g_cYX?TG53s^0VYX}6ye)1SI~Bjn<&u)2Q|Y3b`WhOG
zOU9#==|z4L&JQw;MbwGXn}QHpMGL3w*<dEYPKhm;Da(m-VQS}y*;Dh6u%NZu^jKkp
z!j<mb>;2bL{YTx^)VCHyyLpLZTq$-rDKGCF^QHHPWG+277(!TBoKejdk}t(y6VSgl
zIOhxIGnrRst3SumY$*QM&@|MDza*YuycX?mheqPRg;_zorMynSN!QSaGiaVX0Qa!X
zwb=O9WhsVN_TSk2B>KJU-SOo~s``V8;B44f^soesc51`x<D8@W@@^*wWoA*&4;!OP
zqSUUv7|kSd0|s^sRj>`Wl6aeY0S^B0AO>QqEe+vpCdPHVL$EJ}yZ8RG;s5>4PJm7L
z|EG&eDOv?I0$3EyK=6P1DL_E}YpeMGj1$BpBs?Hg3@vCkkR?VOOqUB-z=a8njiCkO
z76b+eVgYCWBcFtUA2GxP|NlJb|2gMQ49FQvN$`KZ9Uvg&|A+e@6{!vU(53+9#L|Kx
z8~sP(1CL_a!6wascyTgdBj!M53mRa2915^H9uI8V64)6>0sI$_2bvB1h!Y1BvjvLA
z3xVf*fB^rw;{tQyQGj`Icwoa`!0~tr;9eXaXbliHK^*Mc2dI=l_rFL50ur!5iGisJ
zf?y8;z?B4ku+1PKMxqdyU?{L45ev8*3J2u<@4m1^JWw%UexfXxY{dUEt|H)oh)F0=
KDpCI<|NjM6i=jaP

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
index 9177d7e15a..41aea32ae7 100644
--- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
+++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
@@ -2,21 +2,6 @@
     "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
-        "topLevelManagementGroupPrefix": {
-            "type": "string",
-            "metadata": {
-                "description": "Provide the ESLZ company prefix to the intermediate root management group containing the policy definitions."
-            }
-        },
-        "effect": {
-            "type": "string",
-            "allowedValues": [
-                "Deny",
-                "Audit",
-                "Disabled"
-            ],
-            "defaultValue": "Audit"
-        },
         "enforcementMode": {
             "type": "string",
             "allowedValues": [
@@ -32,7 +17,7 @@
     },
     "variables": {
         "policyDefinitions": {
-            "auditRGL": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Audit-ResourceRGLocation')]"
+            "auditRGL": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a"
         },
         "policyAssignmentNames": {
             "auditRGL": "Audit-ResourceRGLocation",
@@ -61,9 +46,6 @@
                     }
                 ],
                 "parameters": {
-                    "effect": {
-                        "value": "[parameters('effect')]"
-                    }
                 }
             }
         }
diff --git a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json b/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json
deleted file mode 100644
index 01aa3e1411..0000000000
--- a/src/resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json
+++ /dev/null
@@ -1,58 +0,0 @@
-{
-    "name": "Audit-ResourceRGLocation",
-    "type": "Microsoft.Authorization/policyDefinitions",
-    "apiVersion": "2021-06-01",
-    "scope": null,    
-    "properties": {
-      "displayName": "Resource Group and Resource locations should match",
-      "description": "In order to improve resilience and reliability, you need to be aware of where resources are deployed. To aid this awareness, ensure that the location of the resource group matches the location of the resources it contains.",
-      "version": "1.0.0",
-      "metadata": {
-        "version": "1.0.0",
-        "category": "General",
-        "source": "https://github.com/Azure/Enterprise-Scale/",
-        "alzCloudEnvironments": [
-          "AzureCloud",
-          "AzureChinaCloud",
-          "AzureUSGovernment"
-        ]
-      },
-      "mode": "Indexed",
-      "parameters": {
-        "effect": {
-          "type": "String",
-          "metadata": {
-            "displayName": "Effect",
-            "description": "Deny, Audit or Disabled the execution of the Policy"
-          },
-          "allowedValues": [
-            "Deny",
-            "Audit",
-            "Disabled"
-          ],
-          "defaultValue": "Audit"
-        }
-      },
-      "policyRule": {
-        "if": {
-          "allOf": [
-            {
-              "field": "location",
-              "notEquals": "[resourceGroup().location]"
-            },
-            {
-              "field": "location",
-              "notEquals": "global"
-            },
-            {
-              "field": "type",
-              "notEquals": "Microsoft.AzureActiveDirectory/b2cDirectories"
-            }
-          ]
-        },
-        "then": {
-          "effect": "[parameters('effect')]"
-        }
-      }
-    }
-  }
\ No newline at end of file
diff --git a/src/templates/policies.bicep b/src/templates/policies.bicep
index 11a477c1ec..29b9776eda 100644
--- a/src/templates/policies.bicep
+++ b/src/templates/policies.bicep
@@ -179,7 +179,6 @@ var loadPolicyDefinitions = {
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-PrivateLinkDnsZones.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs.json')
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs.json')
-    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-ResourceRGLocation.json')
   ]
   AzureCloud: [
     loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId.json') // Needs validating in AzureChinaCloud and AzureUSGovernment

From aee6f4c4db5111cbd672d89b9b76841d47587a8a Mon Sep 17 00:00:00 2001
From: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 21 Dec 2023 12:52:09 +0000
Subject: [PATCH 6/8] Auto-update Portal experience [Springstone/a9ba97c9]

---
 .../policyDefinitions/policies.json           | 136 +++++++++---------
 .../customRoleDefinitions.json                |   4 +-
 2 files changed, 69 insertions(+), 71 deletions(-)

diff --git a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
index 01a264354a..a9b75f966c 100644
--- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
+++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.23.1.45101",
-      "templateHash": "5249879299117061376"
+      "version": "0.24.24.22086",
+      "templateHash": "4018557226874710368"
     }
   },
   "parameters": {
@@ -131,62 +131,61 @@
     "$fxv#109": "{\n    \"name\": \"DenyAction-DiagnosticLogs\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"displayName\": \"DenyAction implementation on Diagnostic Logs.\",\n        \"description\": \"DenyAction implementation on Diagnostic Logs.\",\n        \"metadata\": {\n            \"deprecated\": false,\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyRule\": {\n            \"if\": {\n                \"field\": \"type\",\n                \"equals\": \"Microsoft.Insights/diagnosticSettings\"\n            },\n            \"then\": {\n                \"effect\": \"denyAction\",\n                \"details\": {\n                    \"actionNames\": [\n                        \"delete\"\n                    ]\n                }\n            }\n        }\n    }\n}",
     "$fxv#11": "{\n  \"name\": \"Deny-AppServiceFunctionApp-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Function App should only be accessible over HTTPS\",\n    \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"App Service\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Web/sites\"\n          },\n          {\n            \"field\": \"kind\",\n            \"like\": \"functionapp*\"\n          },\n          {\n            \"field\": \"Microsoft.Web/sites/httpsOnly\",\n            \"equals\": \"false\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#110": "{\n    \"name\": \"DenyAction-ActivityLogs\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"Indexed\",\n        \"displayName\": \"DenyAction implementation on Activity Logs\",\n        \"description\": \"This is a DenyAction implementation policy on Activity Logs.\",\n        \"metadata\": {\n            \"deprecated\": false,            \n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyRule\": {\n            \"if\": {\n                \"field\": \"type\",\n                \"equals\": \"Microsoft.Resources/subscriptions/providers/diagnosticSettings\"\n            },\n            \"then\": {\n                \"effect\": \"denyAction\",\n                \"details\": {\n                    \"actionNames\": [\n                        \"delete\"\n                    ]\n                }\n            }\n        }\n    }\n}",
-    "$fxv#111": "{\n    \"name\": \"Audit-ResourceRGLocation\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,    \n    \"properties\": {\n      \"displayName\": \"Resource Group and Resource locations should match\",\n      \"description\": \"In order to improve resilience and reliability, you need to be aware of where resources are deployed. To aid this awareness, ensure that the location of the resource group matches the location of the resources it contains.\",\n      \"version\": \"1.0.0\",\n      \"metadata\": {\n        \"version\": \"1.0.0\",\n        \"category\": \"General\",\n        \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n        \"alzCloudEnvironments\": [\n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n        ]\n      },\n      \"mode\": \"Indexed\",\n      \"parameters\": {\n        \"effect\": {\n          \"type\": \"String\",\n          \"metadata\": {\n            \"displayName\": \"Effect\",\n            \"description\": \"Deny, Audit or Disabled the execution of the Policy\"\n          },\n          \"allowedValues\": [\n            \"Deny\",\n            \"Audit\",\n            \"Disabled\"\n          ],\n          \"defaultValue\": \"Audit\"\n        }\n      },\n      \"policyRule\": {\n        \"if\": {\n          \"allOf\": [\n            {\n              \"field\": \"location\",\n              \"notEquals\": \"[resourceGroup().location]\"\n            },\n            {\n              \"field\": \"location\",\n              \"notEquals\": \"global\"\n            },\n            {\n              \"field\": \"type\",\n              \"notEquals\": \"Microsoft.AzureActiveDirectory/b2cDirectories\"\n            }\n          ]\n        },\n        \"then\": {\n          \"effect\": \"[parameters('effect')]\"\n        }\n      }\n    }\n  }",
-    "$fxv#112": "{\n  \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n    \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n            \"equals\": \"Approved\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n                \"notEquals\": \"[[subscription().subscriptionId]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#113": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#114": "{\n  \"name\": \"Deny-Databricks-NoPublicIp\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public IPs for Databricks cluster\",\n    \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n            \"notEquals\": true\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#115": "{\n  \"name\": \"Deny-Databricks-Sku\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny non-premium Databricks sku\",\n    \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n            \"notEquals\": \"premium\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
-    "$fxv#116": "{\n  \"name\": \"Deny-Databricks-VirtualNetwork\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n    \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n                \"exists\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#117": "{\n  \"name\": \"Deny-MachineLearning-Aks\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n    \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AKS\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#118": "{\n  \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#119": "{\n  \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"allowedVmSizes\": {\n        \"type\": \"Array\",\n        \"metadata\": {\n          \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n          \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n        },\n        \"defaultValue\": [\n          \"Standard_D1_v2\",\n          \"Standard_D2_v2\",\n          \"Standard_D3_v2\",\n          \"Standard_D4_v2\",\n          \"Standard_D11_v2\",\n          \"Standard_D12_v2\",\n          \"Standard_D13_v2\",\n          \"Standard_D14_v2\",\n          \"Standard_DS1_v2\",\n          \"Standard_DS2_v2\",\n          \"Standard_DS3_v2\",\n          \"Standard_DS4_v2\",\n          \"Standard_DS5_v2\",\n          \"Standard_DS11_v2\",\n          \"Standard_DS12_v2\",\n          \"Standard_DS13_v2\",\n          \"Standard_DS14_v2\",\n          \"Standard_M8-2ms\",\n          \"Standard_M8-4ms\",\n          \"Standard_M8ms\",\n          \"Standard_M16-4ms\",\n          \"Standard_M16-8ms\",\n          \"Standard_M16ms\",\n          \"Standard_M32-8ms\",\n          \"Standard_M32-16ms\",\n          \"Standard_M32ls\",\n          \"Standard_M32ms\",\n          \"Standard_M32ts\",\n          \"Standard_M64-16ms\",\n          \"Standard_M64-32ms\",\n          \"Standard_M64ls\",\n          \"Standard_M64ms\",\n          \"Standard_M64s\",\n          \"Standard_M128-32ms\",\n          \"Standard_M128-64ms\",\n          \"Standard_M128ms\",\n          \"Standard_M128s\",\n          \"Standard_M64\",\n          \"Standard_M64m\",\n          \"Standard_M128\",\n          \"Standard_M128m\",\n          \"Standard_D1\",\n          \"Standard_D2\",\n          \"Standard_D3\",\n          \"Standard_D4\",\n          \"Standard_D11\",\n          \"Standard_D12\",\n          \"Standard_D13\",\n          \"Standard_D14\",\n          \"Standard_DS15_v2\",\n          \"Standard_NV6\",\n          \"Standard_NV12\",\n          \"Standard_NV24\",\n          \"Standard_F2s_v2\",\n          \"Standard_F4s_v2\",\n          \"Standard_F8s_v2\",\n          \"Standard_F16s_v2\",\n          \"Standard_F32s_v2\",\n          \"Standard_F64s_v2\",\n          \"Standard_F72s_v2\",\n          \"Standard_NC6s_v3\",\n          \"Standard_NC12s_v3\",\n          \"Standard_NC24rs_v3\",\n          \"Standard_NC24s_v3\",\n          \"Standard_NC6\",\n          \"Standard_NC12\",\n          \"Standard_NC24\",\n          \"Standard_NC24r\",\n          \"Standard_ND6s\",\n          \"Standard_ND12s\",\n          \"Standard_ND24rs\",\n          \"Standard_ND24s\",\n          \"Standard_NC6s_v2\",\n          \"Standard_NC12s_v2\",\n          \"Standard_NC24rs_v2\",\n          \"Standard_NC24s_v2\",\n          \"Standard_ND40rs_v2\",\n          \"Standard_NV12s_v3\",\n          \"Standard_NV24s_v3\",\n          \"Standard_NV48s_v3\"\n        ]\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n            \"notIn\": \"[[parameters('allowedVmSizes')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#111": "{\n  \"name\": \"Audit-MachineLearning-PrivateEndpointId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Control private endpoint connections to Azure Machine Learning\",\n    \"description\": \"Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status\",\n            \"equals\": \"Approved\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]\",\n                \"notEquals\": \"[[subscription().subscriptionId]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#112": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#113": "{\n  \"name\": \"Deny-Databricks-NoPublicIp\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public IPs for Databricks cluster\",\n    \"description\": \"Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value\",\n            \"notEquals\": true\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#114": "{\n  \"name\": \"Deny-Databricks-Sku\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny non-premium Databricks sku\",\n    \"description\": \"Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for Microsoft Entra ID.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.DataBricks/workspaces/sku.name\",\n            \"notEquals\": \"premium\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
+    "$fxv#115": "{\n  \"name\": \"Deny-Databricks-VirtualNetwork\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny Databricks workspaces without Vnet injection\",\n    \"description\": \"Enforces the use of vnet injection for Databricks workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Databricks\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Databricks/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value\",\n                \"exists\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#116": "{\n  \"name\": \"Deny-MachineLearning-Aks\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny AKS cluster creation in Azure Machine Learning\",\n    \"description\": \"Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AKS\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/resourceId\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#117": "{\n  \"name\": \"Deny-MachineLearning-Compute-SubnetId\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/subnet.id\",\n                \"exists\": false\n              },\n              {\n                \"value\": \"[[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]\",\n                \"equals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#118": "{\n  \"name\": \"Deny-MachineLearning-Compute-VmSize\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances\",\n    \"description\": \"Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"allowedVmSizes\": {\n        \"type\": \"Array\",\n        \"metadata\": {\n          \"displayName\": \"Allowed VM Sizes for Aml Compute Clusters and Instances\",\n          \"description\": \"Specifies the allowed VM Sizes for Aml Compute Clusters and Instances\"\n        },\n        \"defaultValue\": [\n          \"Standard_D1_v2\",\n          \"Standard_D2_v2\",\n          \"Standard_D3_v2\",\n          \"Standard_D4_v2\",\n          \"Standard_D11_v2\",\n          \"Standard_D12_v2\",\n          \"Standard_D13_v2\",\n          \"Standard_D14_v2\",\n          \"Standard_DS1_v2\",\n          \"Standard_DS2_v2\",\n          \"Standard_DS3_v2\",\n          \"Standard_DS4_v2\",\n          \"Standard_DS5_v2\",\n          \"Standard_DS11_v2\",\n          \"Standard_DS12_v2\",\n          \"Standard_DS13_v2\",\n          \"Standard_DS14_v2\",\n          \"Standard_M8-2ms\",\n          \"Standard_M8-4ms\",\n          \"Standard_M8ms\",\n          \"Standard_M16-4ms\",\n          \"Standard_M16-8ms\",\n          \"Standard_M16ms\",\n          \"Standard_M32-8ms\",\n          \"Standard_M32-16ms\",\n          \"Standard_M32ls\",\n          \"Standard_M32ms\",\n          \"Standard_M32ts\",\n          \"Standard_M64-16ms\",\n          \"Standard_M64-32ms\",\n          \"Standard_M64ls\",\n          \"Standard_M64ms\",\n          \"Standard_M64s\",\n          \"Standard_M128-32ms\",\n          \"Standard_M128-64ms\",\n          \"Standard_M128ms\",\n          \"Standard_M128s\",\n          \"Standard_M64\",\n          \"Standard_M64m\",\n          \"Standard_M128\",\n          \"Standard_M128m\",\n          \"Standard_D1\",\n          \"Standard_D2\",\n          \"Standard_D3\",\n          \"Standard_D4\",\n          \"Standard_D11\",\n          \"Standard_D12\",\n          \"Standard_D13\",\n          \"Standard_D14\",\n          \"Standard_DS15_v2\",\n          \"Standard_NV6\",\n          \"Standard_NV12\",\n          \"Standard_NV24\",\n          \"Standard_F2s_v2\",\n          \"Standard_F4s_v2\",\n          \"Standard_F8s_v2\",\n          \"Standard_F16s_v2\",\n          \"Standard_F32s_v2\",\n          \"Standard_F64s_v2\",\n          \"Standard_F72s_v2\",\n          \"Standard_NC6s_v3\",\n          \"Standard_NC12s_v3\",\n          \"Standard_NC24rs_v3\",\n          \"Standard_NC24s_v3\",\n          \"Standard_NC6\",\n          \"Standard_NC12\",\n          \"Standard_NC24\",\n          \"Standard_NC24r\",\n          \"Standard_ND6s\",\n          \"Standard_ND12s\",\n          \"Standard_ND24rs\",\n          \"Standard_ND24s\",\n          \"Standard_NC6s_v2\",\n          \"Standard_NC12s_v2\",\n          \"Standard_NC24rs_v2\",\n          \"Standard_NC24s_v2\",\n          \"Standard_ND40rs_v2\",\n          \"Standard_NV12s_v3\",\n          \"Standard_NV24s_v3\",\n          \"Standard_NV48s_v3\"\n        ]\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"in\": [\n              \"AmlCompute\",\n              \"ComputeInstance\"\n            ]\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/vmSize\",\n            \"notIn\": \"[[parameters('allowedVmSizes')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#119": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n    \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"notEquals\": \"Disabled\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#12": "{\n  \"name\": \"Deny-AppServiceWebApp-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Web Application should only be accessible over HTTPS\",\n    \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"App Service\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Web/sites\"\n          },\n          {\n            \"field\": \"kind\",\n            \"like\": \"app*\"\n          },\n          {\n            \"field\": \"Microsoft.Web/sites/httpsOnly\",\n            \"equals\": \"false\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#120": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deny public access of Azure Machine Learning clusters via SSH\",\n    \"description\": \"Deny public access of Azure Machine Learning clusters via SSH.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess\",\n                \"notEquals\": \"Disabled\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#121": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n    \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"maxNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Count\",\n          \"description\": \"Specifies the maximum node count of AML Clusters\"\n        },\n        \"defaultValue\": 10\n      },\n      \"minNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Minimum Node Count\",\n          \"description\": \"Specifies the minimum node count of AML Clusters\"\n        },\n        \"defaultValue\": 0\n      },\n      \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n          \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n        },\n        \"defaultValue\": 900\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n                \"greater\": \"[[parameters('maxNodeCount')]\"\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n                \"greater\": \"[[parameters('minNodeCount')]\"\n              },\n              {\n                \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n                \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#122": "{\n  \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n    \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"notEquals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#123": "{\n  \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n    \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"notEquals\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#124": "{\n  \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n    \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n            \"notEquals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#125": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#126": "{\n  \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
-    "$fxv#127": "{\n  \"name\": \"Deny-AFSPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n    \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n          },\n          {\n            \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n            \"notEquals\": \"AllowVirtualNetworksOnly\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#128": "{\n  \"name\": \"Deny-KeyVaultPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n    \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"2.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.KeyVault/vaults\"\n          },\n          {\n            \"not\": {\n              \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n              \"equals\": \"recover\"\n            }\n          },\n          {\n            \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n            \"notEquals\": \"Deny\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#129": "{\n  \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        },\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"defaultValue\": \"True\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Resources/subscriptions\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"[[parameters('logsEnabled')]\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"location\": \"chinaeast2\",\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"logAnalytics\": {\n                    \"type\": \"string\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"name\": \"subscriptionToLa\",\n                    \"type\": \"Microsoft.Insights/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"location\": \"Global\",\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Administrative\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Security\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ServiceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Alert\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Recommendation\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Policy\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ResourceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ]\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#120": "{\n  \"name\": \"Deny-MachineLearning-ComputeCluster-Scale\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforce scale settings for Azure Machine Learning compute clusters\",\n    \"description\": \"Enforce scale settings for Azure Machine Learning compute clusters.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"maxNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Count\",\n          \"description\": \"Specifies the maximum node count of AML Clusters\"\n        },\n        \"defaultValue\": 10\n      },\n      \"minNodeCount\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Minimum Node Count\",\n          \"description\": \"Specifies the minimum node count of AML Clusters\"\n        },\n        \"defaultValue\": 0\n      },\n      \"maxNodeIdleTimeInSecondsBeforeScaleDown\": {\n        \"type\": \"Integer\",\n        \"metadata\": {\n          \"displayName\": \"Maximum Node Idle Time in Seconds Before Scaledown\",\n          \"description\": \"Specifies the maximum node idle time in seconds before scaledown\"\n        },\n        \"defaultValue\": 900\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces/computes\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/computeType\",\n            \"equals\": \"AmlCompute\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount\",\n                \"greater\": \"[[parameters('maxNodeCount')]\"\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount\",\n                \"greater\": \"[[parameters('minNodeCount')]\"\n              },\n              {\n                \"value\": \"[[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]\",\n                \"greater\": \"[[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#121": "{\n  \"name\": \"Deny-MachineLearning-HbiWorkspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Enforces high business impact Azure Machine Learning Workspaces\",\n    \"description\": \"Enforces high business impact Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/hbiWorkspace\",\n                \"notEquals\": true\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#122": "{\n  \"name\": \"Deny-MachineLearning-PublicAccessWhenBehindVnet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny public access behind vnet to Azure Machine Learning workspace\",\n    \"description\": \"Deny public access behind vnet to Azure Machine Learning workspaces.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"exists\": false\n              },\n              {\n                \"field\": \"Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet\",\n                \"notEquals\": false\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#123": "{\n  \"name\": \"Deny-MachineLearning-PublicNetworkAccess\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Azure Machine Learning should have disabled public network access\",\n    \"description\": \"Denies public network access for Azure Machine Learning workspaces. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/438c38d2-3772-465a-a9cc-7a6666a275ce.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Machine Learning\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"438c38d2-3772-465a-a9cc-7a6666a275ce\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.MachineLearningServices/workspaces\"\n          },\n          {\n            \"field\": \"Microsoft.MachineLearningServices/workspaces/publicNetworkAccess\",\n            \"notEquals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#124": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#125": "{\n  \"name\": \"Deploy-Diagnostics-AVDScalingPlans\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled.\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"True\",\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DesktopVirtualization/scalingplans\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"name\": \"[[parameters('profileName')]\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"true\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"resourceName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logAnalytics\": {\n                    \"type\": \"String\"\n                  },\n                  \"location\": {\n                    \"type\": \"String\"\n                  },\n                  \"profileName\": {\n                    \"type\": \"String\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"String\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"name\": \"[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"dependsOn\": [],\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"resourceName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"profileName\": {\n                  \"value\": \"[[parameters('profileName')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}",
+    "$fxv#126": "{\n  \"name\": \"Deny-AFSPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Public network access should be disabled for Azure File Sync\",\n    \"description\": \"Disabling the public endpoint allows you to restrict access to your Storage Sync Service resource to requests destined to approved private endpoints on your organization's network. There is nothing inherently insecure about allowing requests to the public endpoint, however, you may wish to disable it to meet regulatory, legal, or organizational policy requirements. You can disable the public endpoint for a Storage Sync Service by setting the incomingTrafficPolicy of the resource to AllowVirtualNetworksOnly.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.StorageSync/storageSyncServices\"\n          },\n          {\n            \"field\": \"Microsoft.StorageSync/storageSyncServices/incomingTrafficPolicy\",\n            \"notEquals\": \"AllowVirtualNetworksOnly\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#127": "{\n  \"name\": \"Deny-KeyVaultPaasPublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Azure Key Vault should disable public network access\",\n    \"description\": \"Disable public network access for your key vault so that it's not accessible over the public internet. This can reduce data leakage risks. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"2.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Audit\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.KeyVault/vaults\"\n          },\n          {\n            \"not\": {\n              \"field\": \"Microsoft.KeyVault/vaults/createMode\",\n              \"equals\": \"recover\"\n            }\n          },\n          {\n            \"field\": \"Microsoft.KeyVault/vaults/networkAcls.defaultAction\",\n            \"notEquals\": \"Deny\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#128": "{\n  \"name\": \"Deploy-ActivityLogs-to-LA-workspace\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Configure Azure Activity logs to stream to specified Log Analytics workspace\",\n    \"description\": \"Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"logsEnabled\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Enable logs\",\n          \"description\": \"Whether to enable logs stream to the Log Analytics workspace - True or False\"\n        },\n        \"allowedValues\": [\n          \"True\",\n          \"False\"\n        ],\n        \"defaultValue\": \"True\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Resources/subscriptions\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Insights/diagnosticSettings\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/logs.enabled\",\n                \"equals\": \"[[parameters('logsEnabled')]\"\n              },\n              {\n                \"field\": \"Microsoft.Insights/diagnosticSettings/workspaceId\",\n                \"equals\": \"[[parameters('logAnalytics')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"location\": \"chinaeast2\",\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"logAnalytics\": {\n                    \"type\": \"string\"\n                  },\n                  \"logsEnabled\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"name\": \"subscriptionToLa\",\n                    \"type\": \"Microsoft.Insights/diagnosticSettings\",\n                    \"apiVersion\": \"2017-05-01-preview\",\n                    \"location\": \"Global\",\n                    \"properties\": {\n                      \"workspaceId\": \"[[parameters('logAnalytics')]\",\n                      \"logs\": [\n                        {\n                          \"category\": \"Administrative\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Security\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ServiceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Alert\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Recommendation\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Policy\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"Autoscale\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        },\n                        {\n                          \"category\": \"ResourceHealth\",\n                          \"enabled\": \"[[parameters('logsEnabled')]\"\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              },\n              \"parameters\": {\n                \"logAnalytics\": {\n                  \"value\": \"[[parameters('logAnalytics')]\"\n                },\n                \"logsEnabled\": {\n                  \"value\": \"[[parameters('logsEnabled')]\"\n                }\n              }\n            }\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa\",\n            \"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293\"\n          ]\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#129": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
     "$fxv#13": "{\n  \"name\": \"Deny-MySql-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL database servers enforce SSL connections.\",\n    \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"minimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforMySQL/servers\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n                \"exists\": \"false\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/sslEnforcement\",\n                \"notEquals\": \"Enabled\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/minimalTlsVersion\",\n                \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#130": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#131": "{\n  \"name\": \"Deploy-MySQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforMySQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#132": "{\n  \"name\": \"Deploy-PostgreSQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#133": "{\n  \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n    \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"privateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"afs\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-afs\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#134": "{\n  \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone ID\",\n          \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"vault\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"keyvault-privateDnsZone\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#135": "{\n  \"name\": \"Deploy-Private-DNS-Azure-Web\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Web PubSub\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone Id\",\n          \"description\": \"Private DNS zone to integrate with private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"webpubsub\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-webpubsub-azure-com\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#136": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#137": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#138": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
-    "$fxv#139": "{\n    \"name\": \"Audit-UnusedResourcesCostOptimization\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Unused resources driving cost should be avoided\",\n        \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n        \"metadata\": {\n            \"version\": \"2.0.0\",\n            \"category\": \"Cost Optimization\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n              ]\n        },\n        \"parameters\": {\n            \"effectDisks\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Disks Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectPublicIpAddresses\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PublicIpAddresses Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectServerFarms\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"ServerFarms Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDisks')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectServerFarms')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"Audit\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#130": "{\n  \"name\": \"Deploy-MySQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"MySQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforMySQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforMySQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforMySQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#131": "{\n  \"name\": \"Deploy-PostgreSQLCMKEffect\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL servers should use customer-managed keys to encrypt data at rest\",\n    \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys are commonly required to meet regulatory compliance standards. Customer-managed keys enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\",\n    \"metadata\": {\n      \"version\": \"1.0.4\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.DBforPostgreSQL/servers/keys\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/serverKeyType\",\n                \"equals\": \"AzureKeyVault\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"notEquals\": \"\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/keys/uri\",\n                \"exists\": \"true\"\n              }\n            ]\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#132": "{\n  \"name\": \"Deploy-Private-DNS-Azure-File-Sync\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure File Sync to use private DNS zones\",\n    \"description\": \"To access the private endpoint(s) for Storage Sync Service resource interfaces from a registered server, you need to configure your DNS to resolve the correct names to your private endpoint's private IP addresses. This policy creates the requisite Azure Private DNS Zone and A records for the interfaces of your Storage Sync Service private endpoint(s).\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Storage\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"privateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"afs\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b12aa53e-6015-4669-85d0-8515ebb3ae7f\",\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-afs\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#133": "{\n  \"name\": \"Deploy-Private-DNS-Azure-KeyVault\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Preview: Configure Azure Key Vaults to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to key vault. Learn more at: https://aka.ms/akvprivatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0-preview\",\n      \"category\": \"Key Vault\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"preview\": true,\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone ID\",\n          \"description\": \"A private DNS zone ID to connect to the private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"assignPermissions\": true\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"vault\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"keyvault-privateDnsZone\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#134": "{\n  \"name\": \"Deploy-Private-DNS-Azure-Web\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Configure Azure Web PubSub Service to use private DNS zones\",\n    \"description\": \"Use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone links to your virtual network to resolve to Azure Web PubSub service. Learn more at: https://aka.ms/awps/privatelink.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Web PubSub\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"privateDnsZoneId\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Private DNS Zone Id\",\n          \"description\": \"Private DNS zone to integrate with private endpoint.\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/privateEndpoints\"\n          },\n          {\n            \"count\": {\n              \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n              \"where\": {\n                \"field\": \"Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]\",\n                \"equals\": \"webpubsub\"\n              }\n            },\n            \"greaterOrEquals\": 1\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"template\": {\n                \"$schema\": \"https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"privateDnsZoneId\": {\n                    \"type\": \"string\"\n                  },\n                  \"privateEndpointName\": {\n                    \"type\": \"string\"\n                  },\n                  \"location\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"name\": \"[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]\",\n                    \"type\": \"Microsoft.Network/privateEndpoints/privateDnsZoneGroups\",\n                    \"apiVersion\": \"2020-03-01\",\n                    \"location\": \"[[parameters('location')]\",\n                    \"properties\": {\n                      \"privateDnsZoneConfigs\": [\n                        {\n                          \"name\": \"privatelink-webpubsub-azure-com\",\n                          \"properties\": {\n                            \"privateDnsZoneId\": \"[[parameters('privateDnsZoneId')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ]\n              },\n              \"parameters\": {\n                \"privateDnsZoneId\": {\n                  \"value\": \"[[parameters('privateDnsZoneId')]\"\n                },\n                \"privateEndpointName\": {\n                  \"value\": \"[[field('name')]\"\n                },\n                \"location\": {\n                  \"value\": \"[[field('location')]\"\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#135": "{\n  \"name\": \"Deny-AA-child-resources\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"No child resources in Automation Account\",\n    \"description\": \"This policy denies the creation of child resources on the Automation Account\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Automation\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"in\": [\n              \"Microsoft.Automation/automationAccounts/runbooks\",\n              \"Microsoft.Automation/automationAccounts/variables\",\n              \"Microsoft.Automation/automationAccounts/modules\",\n              \"Microsoft.Automation/automationAccounts/credentials\",\n              \"Microsoft.Automation/automationAccounts/connections\",\n              \"Microsoft.Automation/automationAccounts/certificates\"\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
+    "$fxv#136": "{\n  \"name\": \"Deploy-Budget\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"description\": \"Deploy a default budget on all subscriptions under the assigned scope\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Budget\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"budgetName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"budget-set-by-policy\",\n        \"metadata\": {\n          \"description\": \"The name for the budget to be created\"\n        }\n      },\n      \"amount\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1000\",\n        \"metadata\": {\n          \"description\": \"The total amount of cost or usage to track with the budget\"\n        }\n      },\n      \"timeGrain\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Monthly\",\n        \"allowedValues\": [\n          \"Monthly\",\n          \"Quarterly\",\n          \"Annually\",\n          \"BillingMonth\",\n          \"BillingQuarter\",\n          \"BillingAnnual\"\n        ],\n        \"metadata\": {\n          \"description\": \"The time covered by a budget. Tracking of the amount will be reset based on the time grain.\"\n        }\n      },\n      \"firstThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"90\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"secondThreshold\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"100\",\n        \"metadata\": {\n          \"description\": \"Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.\"\n        }\n      },\n      \"contactRoles\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [\n          \"Owner\",\n          \"Contributor\"\n        ],\n        \"metadata\": {\n          \"description\": \"The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactEmails\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded.\"\n        }\n      },\n      \"contactGroups\": {\n        \"type\": \"Array\",\n        \"defaultValue\": [],\n        \"metadata\": {\n          \"description\": \"The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings.\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Resources/subscriptions\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Consumption/budgets\",\n          \"deploymentScope\": \"subscription\",\n          \"existenceScope\": \"subscription\",\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Consumption/budgets/amount\",\n                \"equals\": \"[[parameters('amount')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/timeGrain\",\n                \"equals\": \"[[parameters('timeGrain')]\"\n              },\n              {\n                \"field\": \"Microsoft.Consumption/budgets/category\",\n                \"equals\": \"Cost\"\n              }\n            ]\n          },\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n          ],\n          \"deployment\": {\n            \"location\": \"northeurope\",\n            \"properties\": {\n              \"mode\": \"Incremental\",\n              \"parameters\": {\n                \"budgetName\": {\n                  \"value\": \"[[parameters('budgetName')]\"\n                },\n                \"amount\": {\n                  \"value\": \"[[parameters('amount')]\"\n                },\n                \"timeGrain\": {\n                  \"value\": \"[[parameters('timeGrain')]\"\n                },\n                \"firstThreshold\": {\n                  \"value\": \"[[parameters('firstThreshold')]\"\n                },\n                \"secondThreshold\": {\n                  \"value\": \"[[parameters('secondThreshold')]\"\n                },\n                \"contactEmails\": {\n                  \"value\": \"[[parameters('contactEmails')]\"\n                },\n                \"contactRoles\": {\n                  \"value\": \"[[parameters('contactRoles')]\"\n                },\n                \"contactGroups\": {\n                  \"value\": \"[[parameters('contactGroups')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"budgetName\": {\n                    \"type\": \"String\"\n                  },\n                  \"amount\": {\n                    \"type\": \"String\"\n                  },\n                  \"timeGrain\": {\n                    \"type\": \"String\"\n                  },\n                  \"firstThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"secondThreshold\": {\n                    \"type\": \"String\"\n                  },\n                  \"contactEmails\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactRoles\": {\n                    \"type\": \"Array\"\n                  },\n                  \"contactGroups\": {\n                    \"type\": \"Array\"\n                  },\n                  \"startDate\": {\n                    \"type\": \"String\",\n                    \"defaultValue\": \"[[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]\"\n                  }\n                },\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Consumption/budgets\",\n                    \"apiVersion\": \"2019-10-01\",\n                    \"name\": \"[[parameters('budgetName')]\",\n                    \"properties\": {\n                      \"timePeriod\": {\n                        \"startDate\": \"[[parameters('startDate')]\"\n                      },\n                      \"timeGrain\": \"[[parameters('timeGrain')]\",\n                      \"amount\": \"[[parameters('amount')]\",\n                      \"category\": \"Cost\",\n                      \"notifications\": {\n                        \"NotificationForExceededBudget1\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('firstThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        },\n                        \"NotificationForExceededBudget2\": {\n                          \"enabled\": true,\n                          \"operator\": \"GreaterThan\",\n                          \"threshold\": \"[[parameters('secondThreshold')]\",\n                          \"contactEmails\": \"[[parameters('contactEmails')]\",\n                          \"contactRoles\": \"[[parameters('contactRoles')]\",\n                          \"contactGroups\": \"[[parameters('contactGroups')]\"\n                        }\n                      }\n                    }\n                  }\n                ]\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#137": "{\n  \"name\": \"Deploy-Default-Udr\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deploy a user-defined route to a VNET with specific routes.\",\n    \"description\": \"Deploy a user-defined route to a VNET with routes from spoke to hub firewall. This policy must be assigned for each region you plan to use.\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"defaultRoute\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Default route to add into UDR\",\n          \"description\": \"Policy will deploy a default route table to a vnet\"\n        }\n      },\n      \"vnetRegion\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"VNet Region\",\n          \"description\": \"Regional VNet hub location\",\n          \"strongType\": \"location\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/virtualNetworks\"\n          },\n          {\n            \"field\": \"location\",\n            \"equals\": \"[[parameters('vnetRegion')]\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\",\n        \"details\": {\n          \"type\": \"Microsoft.Network/routeTables\",\n          \"roleDefinitionIds\": [\n            \"/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7\"\n          ],\n          \"existenceCondition\": {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/routeTables/routes[*].nextHopIpAddress\",\n                \"equals\": \"[[parameters('defaultRoute')]\"\n              }\n            ]\n          },\n          \"deployment\": {\n            \"properties\": {\n              \"mode\": \"incremental\",\n              \"parameters\": {\n                \"udrName\": {\n                  \"value\": \"[[concat(field('name'),'-udr')]\"\n                },\n                \"udrLocation\": {\n                  \"value\": \"[[field('location')]\"\n                },\n                \"defaultRoute\": {\n                  \"value\": \"[[parameters('defaultRoute')]\"\n                }\n              },\n              \"template\": {\n                \"$schema\": \"http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json\",\n                \"contentVersion\": \"1.0.0.0\",\n                \"parameters\": {\n                  \"udrName\": {\n                    \"type\": \"string\"\n                  },\n                  \"udrLocation\": {\n                    \"type\": \"string\"\n                  },\n                  \"defaultRoute\": {\n                    \"type\": \"string\"\n                  }\n                },\n                \"variables\": {},\n                \"resources\": [\n                  {\n                    \"type\": \"Microsoft.Network/routeTables\",\n                    \"name\": \"[[parameters('udrName')]\",\n                    \"apiVersion\": \"2020-08-01\",\n                    \"location\": \"[[parameters('udrLocation')]\",\n                    \"properties\": {\n                      \"routes\": [\n                        {\n                          \"name\": \"AzureFirewallRoute\",\n                          \"properties\": {\n                            \"addressPrefix\": \"0.0.0.0/0\",\n                            \"nextHopType\": \"VirtualAppliance\",\n                            \"nextHopIpAddress\": \"[[parameters('defaultRoute')]\"\n                          }\n                        }\n                      ]\n                    }\n                  }\n                ],\n                \"outputs\": {}\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n",
+    "$fxv#138": "{\n    \"name\": \"Audit-UnusedResourcesCostOptimization\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Unused resources driving cost should be avoided\",\n        \"description\": \"Optimize cost by detecting unused but chargeable resources. Leverage this Azure Policy Initiative as a cost control tool to reveal orphaned resources that are contributing cost.\",\n        \"metadata\": {\n            \"version\": \"2.0.0\",\n            \"category\": \"Cost Optimization\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n              ]\n        },\n        \"parameters\": {\n            \"effectDisks\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Disks Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Compute/disks\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectPublicIpAddresses\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"PublicIpAddresses Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Network/publicIpAddresses\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectServerFarms\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"ServerFarms Effect\",\n                    \"description\": \"Enable or disable the execution of the policy for Microsoft.Web/serverfarms\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"AuditDisksUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-Disks-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDisks')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditPublicIpAddressesUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-PublicIpAddresses-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectPublicIpAddresses')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditServerFarmsUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-ServerFarms-UnusedResourcesCostOptimization\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectServerFarms')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"AuditAzureHybridBenefitUnusedResourcesCostOptimization\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Audit-AzureHybridBenefit\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"Audit\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#139": "{\n  \"name\": \"Deploy-Sql-Security\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n    \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"vulnerabilityAssessmentsEmail\": {\n        \"metadata\": {\n          \"description\": \"The email address to send alerts\",\n          \"displayName\": \"The email address to send alerts\"\n        },\n        \"type\": \"String\"\n      },\n      \"vulnerabilityAssessmentsStorageID\": {\n        \"metadata\": {\n          \"description\": \"The storage account ID to store assessments\",\n          \"displayName\": \"The storage account ID to store assessments\"\n        },\n        \"type\": \"String\"\n      },\n      \"SqlDbTdeDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n          \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n        }\n      },\n      \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n          \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n        }\n      },\n      \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL database auditing settings\",\n          \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n        }\n      },\n      \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n          \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n          },\n          \"vulnerabilityAssessmentsEmail\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n          },\n          \"vulnerabilityAssessmentsStorageID\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
     "$fxv#14": "{\n  \"name\": \"Deny-PostgreSql-http\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"PostgreSQL database servers enforce SSL connection.\",\n    \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"minimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Select version minimum TLS for PostgreSQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for PostgreSQL server to enforce\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforPostgreSQL/servers\"\n          },\n          {\n            \"anyOf\": [\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n                \"exists\": \"false\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/sslEnforcement\",\n                \"notEquals\": \"Enabled\"\n              },\n              {\n                \"field\": \"Microsoft.DBforPostgreSQL/servers/minimalTlsVersion\",\n                \"notequals\": \"[[parameters('minimalTlsVersion')]\"\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#140": "{\n  \"name\": \"Deploy-Sql-Security\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy SQL Database built-in SQL security configuration\",\n    \"description\": \"Deploy auditing, Alert, TDE and SQL vulnerability to SQL Databases when it not exist in the deployment\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"vulnerabilityAssessmentsEmail\": {\n        \"metadata\": {\n          \"description\": \"The email address to send alerts\",\n          \"displayName\": \"The email address to send alerts\"\n        },\n        \"type\": \"String\"\n      },\n      \"vulnerabilityAssessmentsStorageID\": {\n        \"metadata\": {\n          \"description\": \"The storage account ID to store assessments\",\n          \"displayName\": \"The storage account ID to store assessments\"\n        },\n        \"type\": \"String\"\n      },\n      \"SqlDbTdeDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database Transparent Data Encryption \",\n          \"description\": \"Deploy the Transparent Data Encryption when it is not enabled in the deployment\"\n        }\n      },\n      \"SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database security Alert Policies configuration with email admin accounts\",\n          \"description\": \"Deploy the security Alert Policies configuration with email admin accounts when it not exist in current configuration\"\n        }\n      },\n      \"SqlDbAuditingSettingsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL database auditing settings\",\n          \"description\": \"Deploy auditing settings to SQL Database when it not exist in the deployment\"\n        }\n      },\n      \"SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy SQL Database vulnerability Assessments\",\n          \"description\": \"Deploy SQL Database vulnerability Assessments when it not exist in the deployment. To the specific  storage account in the parameters\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbTdeDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbTdeDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbSecurityAlertPoliciesDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbSecurityAlertPoliciesDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbAuditingSettingsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbAuditingSettingsDeploySqlSecurityEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlDbVulnerabilityAssessmentsDeploySqlSecurity\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlDbVulnerabilityAssessmentsDeploySqlSecurityEffect')]\"\n          },\n          \"vulnerabilityAssessmentsEmail\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsEmail')]\"\n          },\n          \"vulnerabilityAssessmentsStorageID\": {\n            \"value\": \"[[parameters('vulnerabilityAssessmentsStorageID')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#141": "{\n  \"name\": \"Enforce-EncryptTransit\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n    \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n    \"metadata\": {\n      \"version\": \"2.1.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"AppServiceHttpEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n          \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceTlsVersionEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n          \"description\": \"App Service. Appends the AppService sites object to ensure that  HTTPS only is enabled for  server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n          \"description\": \"App Service. Select version  minimum TLS version for a  Web App config to enforce\"\n        }\n      },\n      \"APIAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"FunctionLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"FunctionServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"WebAppServiceLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"WebAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"AKSIngressHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n          \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"deny\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ]\n      },\n      \"MySQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"MySQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n          \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"MySQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"PostgreSQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"PostgreSQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n          \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"PostgreSQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"PostgreSQL database servers. Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"RedisTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"RedisMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n          \"description\": \"Select version  minimum TLS version for a Azure Cache for Redis to enforce\"\n        }\n      },\n      \"RedisTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n          \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"SQLManagedInstanceTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLManagedInstanceMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n          \"description\": \"Select version  minimum TLS version for Azure Managed Instanceto to  enforce\"\n        }\n      },\n      \"SQLManagedInstanceTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"SQLServerTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLServerminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n          \"description\": \"Select version  minimum TLS version for Azure SQL Database to enforce\"\n        }\n      },\n      \"SQLServerTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"StorageDeployHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"StorageminimumTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_1\",\n          \"TLS1_0\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage Account select minimum TLS version\",\n          \"description\": \"Select version  minimum TLS version on Azure Storage Account to enforce\"\n        }\n      },\n      \"StorageHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"ContainerAppsHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n          \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n          },\n          \"minTlsVersion\": {\n            \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#142": "{\n    \"name\": \"Enforce-Guardrails-KeyVault\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n        \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Key Vault\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effectKvSoftDelete\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvPurgeProtection\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvSecretsExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvKeysExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvFirewallEnabled\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvCertLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"audit\",\n                    \"Audit\",\n                    \"deny\",\n                    \"Deny\",\n                    \"disabled\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"maximumCertLifePercentageLife\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The maximum lifetime percentage\",\n                    \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n                },\n                \"defaultValue\": 80\n            },\n            \"minimumCertLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvKeysLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumKeysLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvSecretsLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumSecretsLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSoftDelete')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvCertLifetime')]\"\n                    },\n                    \"maximumPercentageLife\": {\n                        \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n                    },\n                    \"minimumDaysBeforeExpiry\": {\n                        \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#143": "{\n    \"name\": \"Enforce-ALZ-Decomm\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n      \"policyType\": \"Custom\",\n      \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n      \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n      \"metadata\": {\n        \"version\": \"1.0.0\",\n        \"category\": \"Decommissioned\",\n        \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n        \"alzCloudEnvironments\": [ \n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n        ]\n      },\n      \"parameters\": {\n        \"listOfResourceTypesAllowed\":{\n          \"type\": \"Array\",\n          \"defaultValue\": [],\n          \"metadata\": {\n            \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n            \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n            \"strongType\": \"resourceTypes\"\n          }\n        }\n      },\n      \"policyDefinitions\": [\n        {\n          \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n          \"parameters\": {\n            \"listOfResourceTypesAllowed\": {\n              \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n            }\n          },\n          \"groupNames\": []\n        },\n        {\n            \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n            \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n            \"parameters\": {},\n            \"groupNames\": []\n          }\n      ],\n      \"policyDefinitionGroups\": null\n    }\n  }\n  ",
-    "$fxv#144": "{\n    \"name\": \"Enforce-ALZ-Sandbox\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n        \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Sandbox\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"listOfResourceTypesNotAllowed\": {\n                \"type\": \"Array\",\n                \"defaultValue\": [],\n                \"metadata\": {\n                    \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n                    \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n                    \"strongType\": \"resourceTypes\"\n                }\n            },\n            \"effectNotAllowedResources\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectDenyVnetPeering\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectNotAllowedResources')]\"\n                      },\n                    \"listOfResourceTypesNotAllowed\": {\n                        \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n                      }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#145": "{\n    \"name\": \"DenyAction-DeleteProtection\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n        \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#146": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"3.2.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"PostgreSQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n          \"description\": \"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MySQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n          \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MlPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n          \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"RedisCachePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n          \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BotServicePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Bot Service\",\n          \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AutomationPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Automation accounts\",\n          \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AppConfigPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Configuration\",\n          \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"FunctionPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Function apps\",\n          \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n          \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service apps\",\n          \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ApiManPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for API Management services\",\n          \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      },\n      \"ContainerAppsEnvironmentDenyEffect\" : {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Container Apps environment should disable public network access\",\n          \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#147": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"2.2.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AVDScalingPlansLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#148": "{\n    \"name\": \"Deploy-MDFC-Config\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"metadata\": {\n            \"version\": \"6.0.1\",\n            \"category\": \"Security Center\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"emailSecurityContact\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"displayName\": \"Security contacts email address\",\n                    \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n                }\n            },\n            \"minimalSeverity\": {\n                \"type\": \"string\",\n                \"allowedValues\": [\n                    \"High\",\n                    \"Medium\",\n                    \"Low\"\n                ],\n                \"defaultValue\": \"High\",\n                \"metadata\": {\n                    \"displayName\": \"Minimal severity\",\n                    \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n                }\n            },\n            \"logAnalytics\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Primary Log Analytics workspace\",\n                    \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n                    \"strongType\": \"omsWorkspace\"\n                }\n            },\n            \"ascExportResourceGroupName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n                }\n            },\n            \"ascExportResourceGroupLocation\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n                }\n            },\n            \"enableAscForCosmosDbs\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSql\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSqlOnVm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForDns\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForArm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForOssDb\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForAppServices\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForKeyVault\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForStorage\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForContainers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServersVulnerabilityAssessments\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"vulnerabilityAssessmentProvider\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"default\",\n                    \"mdeTvm\"\n                ],\n                \"defaultValue\": \"default\",\n                \"metadata\": {\n                    \"displayName\": \"Vulnerability assessment provider type\",\n                    \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n                }\n            },\n            \"enableAscForApis\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForCspm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForOssDb')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVM\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n                    },\n                    \"vaType\": {\n                        \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForAppServices')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForStorage')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforContainers\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    },\n                    \"logAnalyticsWorkspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForKeyVault')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForDns\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForDns')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForArm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForArm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSql')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForApis\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForApis')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCspm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCspm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"securityEmailContact\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n                \"parameters\": {\n                    \"emailSecurityContact\": {\n                        \"value\": \"[[parameters('emailSecurityContact')]\"\n                    },\n                    \"minimalSeverity\": {\n                        \"value\": \"[[parameters('minimalSeverity')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"ascExport\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n                \"parameters\": {\n                    \"resourceGroupName\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n                    },\n                    \"resourceGroupLocation\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n                    },\n                    \"workspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
-    "$fxv#149": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"2.1.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationWebhookPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosMongoPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosCassandraPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosGremlinPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosTablePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPortalPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDatabricksPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureHDInsightPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMigratePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMigratePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueuePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueueSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLODPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseDevPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesKeyPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesLivePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesStreamPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId1\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId2\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId3\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId4\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId5\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Webhook\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"DSCAndHybridWorker\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"SQL\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"MongoDB\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Cassandra\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Gremlin\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Table\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"dataFactory\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"portal\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-UI-Api\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"databricks_ui_api\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-Browser-AuthN\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"browser_authentication\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"cluster\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Sql\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"SqlOnDemand\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Dev\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"keydelivery\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"liveevent\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"streamingendpoint\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n        \"parameters\": {\n          \"privateDnsZoneId1\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n          },\n          \"privateDnsZoneId2\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n          },\n          \"privateDnsZoneId3\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n          },\n          \"privateDnsZoneId4\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n          },\n          \"privateDnsZoneId5\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#140": "{\n  \"name\": \"Enforce-EncryptTransit\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit\",\n    \"description\": \"Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing existence condition require then the combination of Audit. \",\n    \"metadata\": {\n      \"version\": \"2.1.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"AppServiceHttpEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService sites config WebApp, APIApp, Function App with TLS version selected below\",\n          \"description\": \"Append the AppService sites object to ensure that min Tls version is set to required TLS version. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceTlsVersionEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Appends the AppService WebApp, APIApp, Function App to enable https only\",\n          \"description\": \"App Service. Appends the AppService sites object to ensure that  HTTPS only is enabled for  server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny.\"\n        }\n      },\n      \"AppServiceminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"App Service. Select version minimum TLS Web App config\",\n          \"description\": \"App Service. Select version  minimum TLS version for a  Web App config to enforce\"\n        }\n      },\n      \"APIAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service API App. API App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"FunctionLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Latest TLS version should be used in your Function App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"FunctionServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Function App. Function App should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"App Service Function App. Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"WebAppServiceLatestTlsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Latest TLS version should be used in your Web App\",\n          \"description\": \"Only Audit, deny not possible as it is a related resource. Upgrade to the latest TLS version.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"WebAppServiceHttpsEffect\": {\n        \"metadata\": {\n          \"displayName\": \"App Service Web App. Web Application should only be accessible over HTTPS. Choose Deny or Audit in combination with Append policy.\",\n          \"description\": \"Choose Deny or Audit in combination with Append policy. Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"AKSIngressHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"AKS Service. Enforce HTTPS ingress in Kubernetes cluster\",\n          \"description\": \"This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit https://aka.ms/kubepolicydoc.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"deny\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ]\n      },\n      \"MySQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Deploy if not exist set minimum TLS version Azure Database for MySQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"MySQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Enforce SSL connection should be enabled for MySQL database servers\",\n          \"description\": \"Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"MySQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"MySQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"PostgreSQLEnableSSLDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Deploy if not exist set minimum TLS version Azure Database for PostgreSQL server\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Database for PostgreSQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"PostgreSQLEnableSSLEffect\": {\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Enforce SSL connection should be enabled for PostgreSQL database servers\",\n          \"description\": \"Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"PostgreSQLminimalTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_0\",\n          \"TLS1_1\",\n          \"TLSEnforcementDisabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"PostgreSQL database servers. Select version minimum TLS for MySQL server\",\n          \"description\": \"PostgreSQL database servers. Select version  minimum TLS version Azure Database for MySQL server to enforce\"\n        }\n      },\n      \"RedisTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Append\",\n        \"allowedValues\": [\n          \"Append\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Deploy a specific min TLS version requirement and enforce SSL Azure Cache for Redis\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"RedisMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis.Select version minimum TLS for Azure Cache for Redis\",\n          \"description\": \"Select version  minimum TLS version for a Azure Cache for Redis to enforce\"\n        }\n      },\n      \"RedisTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Cache for Redis. Only secure connections to your Azure Cache for Redis should be enabled\",\n          \"description\": \"Azure Cache for Redis. Audit enabling of only connections via SSL to Azure Cache for Redis. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"SQLManagedInstanceTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLManagedInstanceMinTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Managed Instance.Select version minimum TLS for Azure Managed Instance\",\n          \"description\": \"Select version  minimum TLS version for Azure Managed Instanceto to  enforce\"\n        }\n      },\n      \"SQLManagedInstanceTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"SQL Managed Instance should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"SQLServerTLSDeployEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database. Deploy a specific min TLS version requirement and enforce SSL on SQL servers\",\n          \"description\": \"Deploy a specific min TLS version requirement and enforce SSL on SQL servers. Enables secure server to client by enforce  minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server.\"\n        }\n      },\n      \"SQLServerminTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"1.2\",\n        \"allowedValues\": [\n          \"1.2\",\n          \"1.0\",\n          \"1.1\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database.Select version minimum TLS for Azure SQL Database\",\n          \"description\": \"Select version  minimum TLS version for Azure SQL Database to enforce\"\n        }\n      },\n      \"SQLServerTLSEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure SQL Database should have the minimal TLS version of 1.2\",\n          \"description\": \"Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not recommended since they have well documented security vulnerabilities.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\",\n          \"Deny\"\n        ]\n      },\n      \"StorageDeployHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Deploy Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ]\n      },\n      \"StorageminimumTlsVersion\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"TLS1_2\",\n        \"allowedValues\": [\n          \"TLS1_2\",\n          \"TLS1_1\",\n          \"TLS1_0\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage Account select minimum TLS version\",\n          \"description\": \"Select version  minimum TLS version on Azure Storage Account to enforce\"\n        }\n      },\n      \"StorageHttpsEnabledEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Storage Account. Secure transfer to storage accounts should be enabled\",\n          \"description\": \"Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"ContainerAppsHttpsOnlyEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container Apps should only be accessible over HTTPS\",\n          \"description\": \"Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. Disabling 'allowInsecure' will result in the automatic redirection of requests from HTTP to HTTPS connections for container apps.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Deny\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceHttpEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceHttpEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceminTlsVersion\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceTlsVersionEffect')]\"\n          },\n          \"minTlsVersion\": {\n            \"value\": \"[[parameters('AppServiceminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f9d614c5-c173-4d56-95a7-b4437057d193\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceLatestTlsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0e6e85b-9b9f-4a4b-b67b-f730d42f1b0b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceLatestTlsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('APIAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WebAppServiceHttpsEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WebAppServiceHttpsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSIngressHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSIngressHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('MySQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQL-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLEnableSSLEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLEnableSSLEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('PostgreSQLminimalTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisdisableNonSslPort\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSDeployEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisDenyhttps\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisTLSEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('RedisMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLManagedInstanceTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLManagedInstanceTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLManagedInstanceMinTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSDeployEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-SQL-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSDeployEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLServerTLSEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SQLServerTLSEffect')]\"\n          },\n          \"minimalTlsVersion\": {\n            \"value\": \"[[parameters('SQLServerminTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDeployHttpsEnabledEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Storage-sslEnforcement\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageDeployHttpsEnabledEffect')]\"\n          },\n          \"minimumTlsVersion\": {\n            \"value\": \"[[parameters('StorageMinimumTlsVersion')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsHttpsOnlyEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0e80e269-43a4-4ae9-b5bc-178126b8a5cb\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsHttpsOnlyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#141": "{\n    \"name\": \"Enforce-Guardrails-KeyVault\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce recommended guardrails for Azure Key Vault\",\n        \"description\": \"Enforce recommended guardrails for Azure Key Vault.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Key Vault\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effectKvSoftDelete\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvPurgeProtection\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectKvSecretsExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvKeysExpire\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvFirewallEnabled\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"effectKvCertLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"audit\",\n                    \"Audit\",\n                    \"deny\",\n                    \"Deny\",\n                    \"disabled\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"maximumCertLifePercentageLife\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The maximum lifetime percentage\",\n                    \"description\": \"Enter the percentage of lifetime of the certificate when you want to trigger the policy action. For example, to trigger a policy action at 80% of the certificate's valid life, enter '80'.\"\n                },\n                \"defaultValue\": 80\n            },\n            \"minimumCertLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvKeysLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumKeysLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            },\n            \"effectKvSecretsLifetime\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Audit\"\n            },\n            \"minimumSecretsLifeDaysBeforeExpiry\": {\n                \"type\": \"Integer\",\n                \"metadata\": {\n                    \"displayName\": \"The minimum days before expiry\",\n                    \"description\": \"Enter the days before expiration of the certificate when you want to trigger the policy action. For example, to trigger a policy action 90 days before the certificate's expiration, enter '90'.\"\n                },\n                \"defaultValue\": 90\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"KvSoftDelete\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSoftDelete')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvPurgeProtection\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b60c0b2-2dc2-4e1c-b5c9-abbed971de53\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvPurgeProtection')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/98728c90-32c7-4049-8429-847dc0f4fe37\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysExpire\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/152b15f7-8e1f-4c1f-ab71-8c010ba5dbc0\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysExpire')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvFirewallEnabled\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvFirewallEnabled')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvCertLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/12ef42cb-9903-4e39-9c26-422d29570417\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvCertLifetime')]\"\n                    },\n                    \"maximumPercentageLife\": {\n                        \"value\": \"[[parameters('maximumCertLifePercentageLife')]\"\n                    },\n                    \"minimumDaysBeforeExpiry\": {\n                        \"value\": \"[[parameters('minimumCertLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvKeysLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5ff38825-c5d8-47c5-b70e-069a21955146\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvKeysLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumKeysLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"KvSecretsLifetime\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0eb591a-5e70-4534-a8bf-04b9c489584a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectKvSecretsLifetime')]\"\n                    },\n                    \"minimumDaysBeforeExpiration\": {\n                        \"value\": \"[[parameters('minimumSecretsLifeDaysBeforeExpiry')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#142": "{\n    \"name\": \"Enforce-ALZ-Decomm\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n      \"policyType\": \"Custom\",\n      \"displayName\": \"Enforce policies in the Decommissioned Landing Zone\",\n      \"description\": \"Enforce policies in the Decommissioned Landing Zone.\",\n      \"metadata\": {\n        \"version\": \"1.0.0\",\n        \"category\": \"Decommissioned\",\n        \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n        \"alzCloudEnvironments\": [ \n          \"AzureCloud\",\n          \"AzureChinaCloud\",\n          \"AzureUSGovernment\"\n        ]\n      },\n      \"parameters\": {\n        \"listOfResourceTypesAllowed\":{\n          \"type\": \"Array\",\n          \"defaultValue\": [],\n          \"metadata\": {\n            \"displayName\": \"Allowed resource types in the Decommissioned landing zone\",\n            \"description\": \"Allowed resource types in the Decommissioned landing zone, default is none.\",\n            \"strongType\": \"resourceTypes\"\n          }\n        }\n      },\n      \"policyDefinitions\": [\n        {\n          \"policyDefinitionReferenceId\": \"DecomDenyResources\",\n          \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a08ec900-254a-4555-9bf5-e42af04b5c5c\",\n          \"parameters\": {\n            \"listOfResourceTypesAllowed\": {\n              \"value\": \"[[parameters('listOfResourceTypesAllowed')]\"\n            }\n          },\n          \"groupNames\": []\n        },\n        {\n            \"policyDefinitionReferenceId\": \"DecomShutdownMachines\",\n            \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Vm-autoShutdown\",\n            \"parameters\": {},\n            \"groupNames\": []\n          }\n      ],\n      \"policyDefinitionGroups\": null\n    }\n  }\n  ",
+    "$fxv#143": "{\n    \"name\": \"Enforce-ALZ-Sandbox\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce policies in the Sandbox Landing Zone\",\n        \"description\": \"Enforce policies in the Sandbox Landing Zone.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Sandbox\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"listOfResourceTypesNotAllowed\": {\n                \"type\": \"Array\",\n                \"defaultValue\": [],\n                \"metadata\": {\n                    \"displayName\": \"Not allowed resource types in the Sandbox landing zone\",\n                    \"description\": \"Not allowed resource types in the Sandbox landing zone, default is none.\",\n                    \"strongType\": \"resourceTypes\"\n                }\n            },\n            \"effectNotAllowedResources\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"effectDenyVnetPeering\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"SandboxNotAllowed\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectNotAllowedResources')]\"\n                      },\n                    \"listOfResourceTypesNotAllowed\": {\n                        \"value\": \"[[parameters('listOfResourceTypesNotAllowed')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"SandboxDenyVnetPeering\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effectDenyVnetPeering')]\"\n                      }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#144": "{\n    \"name\": \"DenyAction-DeleteProtection\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"DenyAction Delete - Activity Log Settings and Diagnostic Settings\",\n        \"description\": \"Enforces DenyAction - Delete on Activity Log Settings and Diagnostic Settings.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Monitoring\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {},\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-DiagnosticSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-DiagnosticLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"DenyActionDelete-ActivityLogSettings\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/DenyAction-ActivityLogs\",\n                \"parameters\": {},\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#145": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"3.2.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"PostgreSQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for PostgreSql Flexible Server\",\n          \"description\": \"This policy denies creation of Postgre SQL Flexible DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MySQLFlexPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for MySQL Flexible Server\",\n          \"description\": \"This policy denies creation of MySql Flexible Server DB accounts with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MlPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Machine Learning\",\n          \"description\": \"This policy denies creation of Azure Machine Learning with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"RedisCachePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Cache for Redis\",\n          \"description\": \"This policy denies creation of Azure Cache for Redis with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BotServicePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Bot Service\",\n          \"description\": \"This policy denies creation of Bot Service with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AutomationPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Automation accounts\",\n          \"description\": \"This policy denies creation of Automation accounts with exposed public endpoints. Bots should be seet to 'isolated only' mode\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AppConfigPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Configuration\",\n          \"description\": \"This policy denies creation of App Configuration with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"FunctionPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Function apps\",\n          \"description\": \"This policy denies creation of Function apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service Environment apps\",\n          \"description\": \"This policy denies creation of App Service Environment apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AsPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for App Service apps\",\n          \"description\": \"This policy denies creation of App Service apps with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ApiManPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for API Management services\",\n          \"description\": \"This policy denies creation of API Management services with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"AuditIfNotExists\"\n      },\n      \"ContainerAppsEnvironmentDenyEffect\" : {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Container Apps environment should disable public network access\",\n          \"description\": \"This policy denies creation of Container Apps Environment with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/405c5871-3e91-4644-8a63-58e19d68ff5b\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b2982f36-99f2-4db5-8eff-283140c09693\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e1de0e3-42cb-4ebc-a86d-61d0c619ca48\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLFlexDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9299215-ae47-4f50-9c54-8a392f68a052\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLFlexPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/438c38d2-3772-465a-a9cc-7a6666a275ce\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MlPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/470baccb-7e51-4549-8b1a-3e5be069f663\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCachePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BotServiceDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5e8168db-69e3-4beb-9822-57cb59202a9d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BotServicePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/955a914f-bf86-4f0e-acd5-e0766b0efcb6\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppConfigDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3d9f5e4c-9947-4579-9539-2a7695fbc187\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AppConfigPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/969ac98b-88a8-449f-883c-2e9adb123127\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AseDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2d048aca-6479-4923-88f5-e2ac295d9af3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AsDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b5ef780-c53c-4a64-87f3-bb9c8c8094ba\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AsPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApiManDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/df73bd95-24da-4a4f-96b9-4e8b94b402bd\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ApiManPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ContainerAppsEnvironmentDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d074ddf8-01a5-4b5e-a2b8-964aed452c0a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ContainerAppsEnvironmentDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#146": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"2.2.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for API Management to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for API Management to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsDestinationType\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AzureDiagnostics\",\n        \"allowedValues\": [\n          \"AzureDiagnostics\",\n          \"Dedicated\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Destination table for the Diagnostic Setting for Firewall to Log Analytics workspace\",\n          \"description\": \"Destination table for the diagnostic setting for Firewall to Log Analytics workspace, allowed values are 'Dedicated' (for resource-specific) and 'AzureDiagnostics'. Default value is 'AzureDiagnostics'\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AVDScalingPlansLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/59759c62-9a22-4cdf-ae64-074495983fef\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountBlobServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4fe1a3b-0715-4c6c-a5ea-ffc33cf823cb\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountFileServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/25a70cc8-2bd4-47f1-90b6-1478e4662c96\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountQueueServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7bd000e3-37c7-4928-9f31-86c4b77c5c45\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountTableServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2fb86bf3-d221-43d1-96d1-2434af34eaa0\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDScalingPlansDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AVDScalingPlansLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"logAnalyticsDestinationType\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsDestinationType')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#147": "{\n    \"name\": \"Deploy-MDFC-Config\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n        \"metadata\": {\n            \"version\": \"6.0.1\",\n            \"category\": \"Security Center\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"emailSecurityContact\": {\n                \"type\": \"string\",\n                \"metadata\": {\n                    \"displayName\": \"Security contacts email address\",\n                    \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n                }\n            },\n            \"minimalSeverity\": {\n                \"type\": \"string\",\n                \"allowedValues\": [\n                    \"High\",\n                    \"Medium\",\n                    \"Low\"\n                ],\n                \"defaultValue\": \"High\",\n                \"metadata\": {\n                    \"displayName\": \"Minimal severity\",\n                    \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n                }\n            },\n            \"logAnalytics\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Primary Log Analytics workspace\",\n                    \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n                    \"strongType\": \"omsWorkspace\"\n                }\n            },\n            \"ascExportResourceGroupName\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n                }\n            },\n            \"ascExportResourceGroupLocation\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n                    \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n                }\n            },\n            \"enableAscForCosmosDbs\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSql\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForSqlOnVm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForDns\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForArm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForOssDb\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForAppServices\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForKeyVault\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForStorage\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForContainers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServers\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForServersVulnerabilityAssessments\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"vulnerabilityAssessmentProvider\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"default\",\n                    \"mdeTvm\"\n                ],\n                \"defaultValue\": \"default\",\n                \"metadata\": {\n                    \"displayName\": \"Vulnerability assessment provider type\",\n                    \"description\": \"Select the vulnerability assessment solution to provision to machines.\"\n                }\n            },\n            \"enableAscForApis\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            },\n            \"enableAscForCspm\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"DeployIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"DeployIfNotExists\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                }\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"defenderForOssDb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/44433aa3-7ec2-4002-93ea-65c65ff0310a\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForOssDb')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVM\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForVMVulnerabilityAssessment\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/13ce0167-8ca6-4048-8e6b-f996402e3c1b\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForServersVulnerabilityAssessments')]\"\n                    },\n                    \"vaType\": {\n                        \"value\": \"[[parameters('vulnerabilityAssessmentProvider')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlServerVirtualMachines\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/50ea7265-7d8c-429e-9a7d-ca1f410191c3\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSqlOnVm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForAppServices\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b40e7bcd-a1e5-47fe-b9cf-2f534d0bfb7d\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForAppServices')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForStorageAccountsV2\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/cfdc5972-75b3-4418-8ae1-7f5c36839390\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForStorage')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforContainers\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderforKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    },\n                    \"logAnalyticsWorkspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"azurePolicyForKubernetes\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForContainers')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForKeyVaults\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f725891-01c0-420a-9059-4fa46cb770b7\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForKeyVault')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForDns\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForDns')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForArm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForArm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForSql')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCosmosDbs\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/82bf5b87-728b-4a74-ba4d-6123845cf542\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCosmosDbs')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForApis\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e54d2be9-5f2e-4d65-98e4-4f0e670b23d6\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForApis')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"defenderForCspm\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/689f7782-ef2c-4270-a6d0-7664869076bd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('enableAscForCspm')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"securityEmailContact\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n                \"parameters\": {\n                    \"emailSecurityContact\": {\n                        \"value\": \"[[parameters('emailSecurityContact')]\"\n                    },\n                    \"minimalSeverity\": {\n                        \"value\": \"[[parameters('minimalSeverity')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"ascExport\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n                \"parameters\": {\n                    \"resourceGroupName\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n                    },\n                    \"resourceGroupLocation\": {\n                        \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n                    },\n                    \"workspaceResourceId\": {\n                        \"value\": \"[[parameters('logAnalytics')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}",
+    "$fxv#148": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"2.1.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationWebhookPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationWebhookPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAutomationDSCHybridPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAutomationDSCHybridPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosMongoPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosMongoPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosCassandraPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosCassandraPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosGremlinPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosGremlinPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCosmosTablePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCosmosTablePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDataFactoryPortalPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDataFactoryPortalPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDatabricksPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDatabricksPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureHDInsightPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureHDInsightPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMigratePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMigratePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageBlobSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageBlobSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueuePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueuePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageQueueSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageQueueSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageStaticWebSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageStaticWebSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureStorageDFSSecPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureStorageDFSSecPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseSQLODPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseSQLODPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSynapseDevPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSynapseDevPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesKeyPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesKeyPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesLivePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesLivePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMediaServicesStreamPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMediaServicesStreamPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId1\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId1\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId2\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId2\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId3\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId3\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId4\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId4\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMonitorPrivateDnsZoneId5\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMonitorPrivateDnsZoneId5\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-Webhook\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationWebhookPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Webhook\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Automation-DSCHybrid\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6dd01e4f-1be1-4e80-9d0b-d109e04cb064\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAutomationDSCHybridPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"DSCAndHybridWorker\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosSQLPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"SQL\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-MongoDB\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosMongoPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"MongoDB\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Cassandra\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosCassandraPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Cassandra\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Gremlin\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosGremlinPrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Gremlin\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Cosmos-Table\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/a63cc0bd-cda4-4178-b705-37dc439d3e0f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCosmosTablePrivateDnsZoneId')]\"\n          },\n          \"privateEndpointGroupId\": {\n            \"value\": \"Table\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"dataFactory\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DataFactory-Portal\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86cd96e1-1745-420d-94d4-d3f2fe415aa4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDataFactoryPortalPrivateDnsZoneId')]\"\n          },\n          \"listOfGroupIds\": {\n            \"value\": [\n              \"portal\"\n            ]\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-UI-Api\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"databricks_ui_api\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Databrics-Browser-AuthN\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0eddd7f3-3d9b-4927-a07a-806e8ac9486c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDatabricksPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"browser_authentication\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-HDInsight\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/43d6e3bd-fc6a-4b44-8b4d-2151d8736a11\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureHDInsightPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"cluster\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Migrate\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7590a335-57cf-4c95-babd-ecbc8fafeb1f\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMigratePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/75973700-529f-4de2-b794-fb9b6781b6b0\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Blob-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d847d34b-9337-4e2d-99a5-767e5ac9c582\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageBlobSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bcff79fb-2b0d-47c9-97e5-3023479b00d1\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueuePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-Queue-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/da9b4ae8-5ddc-48c5-b9c0-25f8abf7a3d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageQueueSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-File\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6df98d03-368a-4438-8730-a93c4d7693d6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/9adab2a5-05ba-4fbd-831a-5bf958d04218\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-StaticWeb-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d19ae5f1-b303-4b82-9ca8-7682749faf0c\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageStaticWebSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83c6fe0f-2316-444a-99a1-1ecd8a7872ca\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Storage-DFS-Sec\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/90bd4cb3-9f59-45f7-a6ca-f69db2726671\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureStorageDFSSecPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Sql\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-SQL-OnDemand\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseSQLODPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"SqlOnDemand\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Synapse-Dev\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1e5ed725-f16c-478b-bd4b-7bfa2f7940b9\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSynapseDevPrivateDnsZoneId')]\"\n          },\n          \"targetSubResource\": {\n            \"value\": \"Dev\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Key\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesKeyPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"keydelivery\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Live\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesLivePrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"liveevent\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MediaServices-Stream\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b4a7f6c1-585e-4177-ad5b-c2c93f4bb991\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMediaServicesStreamPrivateDnsZoneId')]\"\n          },\n          \"groupId\": {\n            \"value\": \"streamingendpoint\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Monitor\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/437914ee-c176-4fff-8986-7e05eb971365\",\n        \"parameters\": {\n          \"privateDnsZoneId1\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId1')]\"\n          },\n          \"privateDnsZoneId2\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId2')]\"\n          },\n          \"privateDnsZoneId3\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId3')]\"\n          },\n          \"privateDnsZoneId4\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId4')]\"\n          },\n          \"privateDnsZoneId5\": {\n            \"value\": \"[[parameters('azureMonitorPrivateDnsZoneId5')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0b026355-49cb-467b-8ac4-f777874e175a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#149": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"HealthcareAPIsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n          \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
     "$fxv#15": "{\n  \"name\": \"Deny-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"Deny the creation of private DNS\",\n    \"description\": \"This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Network/privateDnsZones\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#150": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"HealthcareAPIsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure API for FHIR should use a customer-managed key (CMK) to encrypt data at rest\",\n          \"description\": \"Use a customer-managed key to control the encryption at rest of the data stored in Azure API for FHIR when this is a regulatory or compliance requirement. Customer-managed keys also deliver double encryption by adding a second layer of encryption on top of the default one done with service-managed keys.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/83cef61d-dbd1-4b20-a4fc-5fbc7da10833\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/18adea5e-f416-4d0f-8aa8-d24321e3e274\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HealthcareAPIsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/051cba44-2429-45b9-9649-46cec11c7119\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('HealthcareAPIsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#151": "{\n    \"name\": \"Enforce-ACSB\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n        \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Guest Configuration\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"includeArcMachines\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"true\",\n                    \"false\"\n                ],\n                \"metadata\": {\n                    \"displayName\": \"Include Arc connected servers\",\n                    \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n                },\n                \"defaultValue\": \"true\"\n            },\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"AuditIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"AuditIfNotExists\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"GcIdentity\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcLinux\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcWindows\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"WinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"LinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}\n",
-    "$fxv#152": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#153": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#154": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#155": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#156": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#157": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
-    "$fxv#158": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#159": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForDns\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForArm\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForStorage\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForStorage')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForDns\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForDns')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForArm\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForArm')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#150": "{\n    \"name\": \"Enforce-ACSB\",\n    \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"displayName\": \"Enforce Azure Compute Security Benchmark compliance auditing\",\n        \"description\": \"Enforce Azure Compute Security Benchmark compliance auditing for Windows and Linux virtual machines.\",\n        \"metadata\": {\n            \"version\": \"1.0.0\",\n            \"category\": \"Guest Configuration\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\"\n            ]\n        },\n        \"parameters\": {\n            \"includeArcMachines\": {\n                \"type\": \"String\",\n                \"allowedValues\": [\n                    \"true\",\n                    \"false\"\n                ],\n                \"metadata\": {\n                    \"displayName\": \"Include Arc connected servers\",\n                    \"description\": \"By selecting this option, you agree to be charged monthly per Arc connected machine.\"\n                },\n                \"defaultValue\": \"true\"\n            },\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"AuditIfNotExists\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"AuditIfNotExists\"\n            }\n        },\n        \"policyDefinitions\": [\n            {\n                \"policyDefinitionReferenceId\": \"GcIdentity\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/3cf2ab00-13f1-4d0c-8971-2ac904541a7e\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcLinux\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/331e8ea8-378a-410f-a2e5-ae22f38bb0da\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"GcWindows\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/385f5831-96d4-41db-9a3c-cd3af78aaae6\",\n                \"parameters\": {},\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"WinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/72650e9f-97bc-4b2a-ab5f-9781a9fcecbc\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            },\n            {\n                \"policyDefinitionReferenceId\": \"LinAcsb\",\n                \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fc9b3da7-8347-4380-8e70-0a0361d8dedd\",\n                \"parameters\": {\n                    \"effect\": {\n                        \"value\": \"[[parameters('effect')]\"\n                    },\n                    \"IncludeArcMachines\": {\n                        \"value\": \"[[parameters('includeArcMachines')]\"\n                    }\n                },\n                \"groupNames\": []\n            }\n        ],\n        \"policyDefinitionGroups\": null\n    }\n}\n",
+    "$fxv#151": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-KeyVaultPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-AFSPaasPublicIP\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#152": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#153": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#154": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureWebPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureWebPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-File-Sync\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-Web\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-Web\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureWebPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"Deploy-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Private-DNS-Azure-KeyVault\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#155": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureChinaCloud\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"MySQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure MySQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"PostgreSQLCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure PostgreSQL servers bring your own key data protection should be enabled\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-PostgreSQLCMKEffect\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#156": "{\n  \"name\": \"Deny-PublicPaaSEndpoints\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Public network access should be disabled for PaaS services\",\n    \"description\": \"This policy initiative is a group of policies that prevents creation of Azure PaaS services with exposed public endpoints\",\n    \"metadata\": {\n      \"version\": \"1.0.0\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"CosmosPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for CosmosDB\",\n          \"description\": \"This policy denies that  Cosmos database accounts  are created with out public network access is disabled.\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"KeyVaultPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for KeyVault\",\n          \"description\": \"This policy denies creation of Key Vaults with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"SqlServerPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure SQL Database should be disabled\",\n          \"description\": \"This policy denies creation of Sql servers with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"StoragePublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access onStorage accounts should be disabled\",\n          \"description\": \"This policy denies creation of storage accounts with IP Firewall exposed to all public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AKSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on AKS API should be disabled\",\n          \"description\": \"This policy denies  the creation of  Azure Kubernetes Service non-private clusters\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"ACRPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure Container Registry disabled\",\n          \"description\": \"This policy denies the creation of Azure Container Registires with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"AFSPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access on Azure File Sync disabled\",\n          \"description\": \"This policy denies the creation of Azure File Sync instances with exposed public endpoints \"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"BatchPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure Batch Instances\",\n          \"description\": \"This policy denies creation of Azure Batch Instances with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      },\n      \"MariaDbPublicIpDenyEffect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Public network access should be disabled for Azure MariaDB\",\n          \"description\": \"This policy denies creation of Azure MariaDB with exposed public endpoints\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/797b37f7-06b8-444c-b1ad-fc62867f335a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/55615ac9-af46-4a59-874e-391cc3dfb490\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1b8ca024-1d5c-4dec-8995-b1a932b41780\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/34c877ad-507e-4c82-993e-3452a6e0ad3c\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StoragePublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/040732e8-d947-40b8-95d6-854c95024bf8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AKSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0fdf0491-d080-4575-b627-ad0e843cba0f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AFSDenyPaasPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/21a8cd35-125e-4d13-b82d-2e19b7208bb7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AFSPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c5a0ae-5e48-4738-b093-65e23a060488\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('BatchPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDbDenyPublicIP\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDbPublicIpDenyEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#157": "{\n  \"name\": \"Deploy-Diagnostics-LogAnalytics\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Diagnostic Settings to Azure Services\",\n    \"description\": \"This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace. See the list of policies of the services that are included \",\n    \"metadata\": {\n      \"version\": \"1.1.0\",\n      \"category\": \"Monitoring\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"logAnalytics\": {\n        \"metadata\": {\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"displayName\": \"Log Analytics workspace\",\n          \"strongType\": \"omsWorkspace\"\n        },\n        \"type\": \"String\"\n      },\n      \"profileName\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"setbypolicy\",\n        \"metadata\": {\n          \"displayName\": \"Profile name\",\n          \"description\": \"The diagnostic settings profile name\"\n        }\n      },\n      \"ACILogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled.\"\n        }\n      },\n      \"ACRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Container Registry to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics  enabled.\"\n        }\n      },\n      \"AKSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Kubernetes Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Kubernetes Service to stream to a Log Analytics workspace when any Kubernetes Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AnalysisServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIforFHIRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"APIMgmtLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for API Management to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ApplicationGatewayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AutomationLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Automation to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BastionLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"BatchLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Batch to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Batch to stream to a Log Analytics workspace when any Batch which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CDNEndpointsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CognitiveServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"CosmosLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DatabricksLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Databricks to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataExplorerClusterLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataFactoryLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Factory to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeStoreLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Data Lake Store to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Data Lake Store to stream to a Log Analytics workspace when anyAzure Data Lake Store which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"DataLakeAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridSubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventGridTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Hubs to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Hubs to stream to a Log Analytics workspace when any Event Hubs which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"EventSystemTopicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ExpressRouteLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FirewallLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Firewall to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FrontDoorLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Front Door to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"FunctionAppLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"HDInsightLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for HDInsight to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"IotHubLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"KeyVaultLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Key Vault to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Key Vault to stream to a Log Analytics workspace when any Key Vault which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LoadBalancerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsISELogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"LogicAppsWFLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Logic Apps Workflows to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Logic Apps Workflows to stream to a Log Analytics workspace when any Logic Apps Workflows which are missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MariaDBLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for MariaDB to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MediaServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MlWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"MySQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkSecurityGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkNICLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PostgreSQLLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"PowerBIEmbeddedLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"NetworkPublicIPNicLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Public IP addresses to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Public IP addresses to stream to a Log Analytics workspace when any Public IP addresses which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RedisCacheLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"RelayLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Relay to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SearchServicesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Search Services to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Search Services to stream to a Log Analytics workspace when any Search Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"ServiceBusLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Service Bus namespaces  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for ServiceBus to stream to a Log Analytics workspace when any ServiceBus which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SignalRLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SignalR to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLDBsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Databases  to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Databases to stream to a Log Analytics workspace when any SQL Databases  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLElasticPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"SQLMLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StreamAnalyticsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Stream Analytics to stream to a Log Analytics workspace when any Stream Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TimeSeriesInsightsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"TrafficManagerLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualNetworkLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VirtualMachinesLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VMSSLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Virtual Machine Scale Sets  to stream to a Log Analytics workspace when any Virtual Machine Scale Sets  which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VNetGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled.\"\n        }\n      },\n      \"AppServiceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"AppServiceWebappLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for App Service to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDAppGroupsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Application Groups to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Application groups to stream to a Log Analytics workspace when any application groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDWorkspaceLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"WVDHostPoolsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for AVD Host pools to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for AVD Host pools to stream to a Log Analytics workspace when any host pool which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"StorageAccountsLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for Storage Accounts to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for Storage Accounts to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      },\n      \"VWanS2SVPNGWLogAnalyticsEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Deploy Diagnostic Settings for VWAN S2S VPN gateway to Log Analytics workspace\",\n          \"description\": \"Deploys the diagnostic settings for VWAN S2S VPN gateway to stream to a Log Analytics workspace when any storage account which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"StorageAccountDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6f8f98a4-f108-47cb-8e98-91a0d85cd474\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StorageAccountsLogAnalyticsEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDAppGroupDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDAppGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WVDHostPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('WVDHostPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACIDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACILogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ACRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ACRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AKSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6c66c325-74c8-42fd-a286-a74b0e2939d8\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AKSLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AnalysisServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AnalysisServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIforFHIRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIforFHIRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"APIMgmtDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('APIMgmtLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ApplicationGatewayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ApplicationGatewayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AutomationDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AutomationLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BastionDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BastionLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"BatchDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c84e5349-db6d-4769-805e-e14037dab9b5\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('BatchLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CDNEndpointsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CDNEndpointsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DatabricksDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DatabricksLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataExplorerClusterDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataExplorerClusterLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataFactoryDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataFactoryLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeStoreDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d56a5a7c-72d7-42bc-8ceb-3baf4c0eae03\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeStoreLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataLakeAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('DataLakeAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridSubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridSubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventGridTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventGridTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EventSystemTopicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('EventSystemTopicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ExpressRouteDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ExpressRouteLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FirewallDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FirewallLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FrontDoorDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FrontDoorLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"FunctionAppDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('FunctionAppLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"HDInsightDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('HDInsightLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"IotHubDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('IotHubLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"KeyVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bef3f64c-5290-43b7-85b0-9b254eef4c47\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('KeyVaultLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LoadBalancerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LoadBalancerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsISEDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsISELogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"LogicAppsWFDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b889a06c-ec72-4b03-910a-cb169ee18721\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('LogicAppsWFLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MariaDBDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MariaDBLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MediaServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MediaServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MlWorkspaceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MlWorkspaceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"MySQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('MySQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkSecurityGroupsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkSecurityGroupsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkNICDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkNICLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PostgreSQLDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PostgreSQLLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"PowerBIEmbeddedDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('PowerBIEmbeddedLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"NetworkPublicIPNicDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/752154a7-1e0f-45c6-a880-ac75a7e4f648\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('NetworkPublicIPNicLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          },\n          \"metricsEnabled\": {\n            \"value\": \"True\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RecoveryVaultDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c717fb0c-d118-4c43-ab3d-ece30ac81fb3\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RedisCacheDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RedisCacheLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"RelayDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('RelayLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SearchServicesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/08ba64b8-738f-4918-9686-730d2ed79c7d\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SearchServicesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ServiceBusDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/04d53d87-841c-4f23-8a5b-21564380b55e\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('ServiceBusLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SignalRDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SignalRLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLDatabaseDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b79fa14e-238a-4c2d-b376-442ce508fc84\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLDBsLogAnalyticsEffect')]\"\n          },\n          \"diagnosticsSettingNameToUse\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLElasticPoolsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLElasticPoolsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SQLMDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('SQLMLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/237e0f7e-b0e8-4ec4-ad46-8c12cb66d673\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TimeSeriesInsightsDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TimeSeriesInsightsLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"TrafficManagerDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('TrafficManagerLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualNetworkDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualNetworkLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VirtualMachinesDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VirtualMachinesLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VMSSDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VMSSLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VNetGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VNetGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AppServiceWebappDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('AppServiceWebappLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"VWanS2SVPNGWDeployDiagnosticLogDeployLogAnalytics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VWanS2SVPNGW\",\n        \"parameters\": {\n          \"logAnalytics\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('VWanS2SVPNGWLogAnalyticsEffect')]\"\n          },\n          \"profileName\": {\n            \"value\": \"[[parameters('profileName')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
+    "$fxv#158": "{\n  \"name\": \"Deploy-MDFC-Config\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"description\": \"Deploy Microsoft Defender for Cloud configuration\",\n    \"metadata\": {\n      \"version\": \"3.0.1\",\n      \"category\": \"Security Center\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"emailSecurityContact\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Security contacts email address\",\n          \"description\": \"Provide email address for Microsoft Defender for Cloud contact details\"\n        }\n      },\n      \"minimalSeverity\": {\n        \"type\": \"string\",\n        \"allowedValues\": [\n          \"High\",\n          \"Medium\",\n          \"Low\"\n        ],\n        \"defaultValue\": \"High\",\n        \"metadata\": {\n          \"displayName\": \"Minimal severity\",\n          \"description\": \"Defines the minimal alert severity which will be sent as email notifications\"\n        }\n      },\n      \"logAnalytics\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Primary Log Analytics workspace\",\n          \"description\": \"Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.\",\n          \"strongType\": \"omsWorkspace\"\n        }\n      },\n      \"ascExportResourceGroupName\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group name for the export to Log Analytics workspace configuration\",\n          \"description\": \"The resource group name where the export to Log Analytics workspace configuration is created. If you enter a name for a resource group that doesn't exist, it'll be created in the subscription. Note that each resource group can only have one export to Log Analytics workspace configured.\"\n        }\n      },\n      \"ascExportResourceGroupLocation\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Resource Group location for the export to Log Analytics workspace configuration\",\n          \"description\": \"The location where the resource group and the export to Log Analytics workspace configuration are created.\"\n        }\n      },\n      \"enableAscForSql\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForDns\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForArm\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForContainers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForStorage\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      },\n      \"enableAscForServers\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"defenderForVM\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/8e86a5b6-b9bd-49d1-8e21-4bb8a0862222\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForServers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForStorageAccounts\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/74c30959-af11-47b3-9ed2-a26e03f427a3\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForStorage')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForContainers\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c9ddb292-b203-4738-aead-18e2716e858f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForContainers')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForDns\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/2370a3c1-4a25-4283-a91a-c9c1a145fb2f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForDns')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForArm\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b7021b2b-08fd-4dc0-9de7-3c6ece09faf9\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForArm')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"defenderForSqlPaas\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b99b73e7-074b-4089-9395-b7236f094491\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('enableAscForSql')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"securityEmailContact\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts\",\n        \"parameters\": {\n          \"emailSecurityContact\": {\n            \"value\": \"[[parameters('emailSecurityContact')]\"\n          },\n          \"minimalSeverity\":{\n            \"value\":\"[[parameters('minimalSeverity')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"ascExport\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ffb6f416-7bd2-4488-8828-56585fef2be9\",\n        \"parameters\": {\n          \"resourceGroupName\": {\n            \"value\": \"[[parameters('ascExportResourceGroupName')]\"\n          },\n          \"resourceGroupLocation\": {\n            \"value\": \"[[parameters('ascExportResourceGroupLocation')]\"\n          },\n          \"workspaceResourceId\": {\n            \"value\": \"[[parameters('logAnalytics')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#159": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
     "$fxv#16": "{\n  \"name\": \"Deny-PublicEndpoint-MariaDB\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Public network access should be disabled for MariaDB\",\n    \"description\": \"This policy denies the creation of Maria DB accounts with exposed public endpoints. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/fdccbe47-f3e3-4213-ad5d-ea459b2fa077.html\",\n    \"metadata\": {\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"SQL\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"deprecated\": true,\n      \"supersededBy\": \"fdccbe47-f3e3-4213-ad5d-ea459b2fa077\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.DBforMariaDB/servers\"\n          },\n          {\n            \"field\": \"Microsoft.DBforMariaDB/servers/publicNetworkAccess\",\n            \"notequals\": \"Disabled\"\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
-    "$fxv#160": "{\n  \"name\": \"Deploy-Private-DNS-Zones\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Configure Azure PaaS services to use private DNS zones\",\n    \"description\": \"This policy initiative is a group of policies that ensures private endpoints to Azure PaaS services are integrated with Azure Private DNS zones\",\n    \"metadata\": {\n      \"version\": \"1.0.1\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"azureFilePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureFilePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureBatchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureBatchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAsrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAsrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureKeyVaultPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureKeyVaultPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureSignalRPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureSignalRPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAppServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAppServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridTopicsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridTopicsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureDiskAccessPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureDiskAccessPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveServicesPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveServicesPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureIotHubsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureIotHubsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventGridDomainsPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventGridDomainsPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureRedisCachePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureRedisCachePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureAcrPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureAcrPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureEventHubNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureEventHubNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureMachineLearningWorkspacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureMachineLearningWorkspacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureServiceBusNamespacePrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureServiceBusNamespacePrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"azureCognitiveSearchPrivateDnsZoneId\": {\n        \"type\": \"string\",\n        \"defaultValue\": \"\",\n        \"metadata\": {\n          \"displayName\": \"azureCognitiveSearchPrivateDnsZoneId\",\n          \"strongType\": \"Microsoft.Network/privateDnsZones\",\n          \"description\": \"Private DNS Zone Identifier\"\n        }\n      },\n      \"effect\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"DeployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"DeployIfNotExists\"\n      },\n      \"effect1\": {\n        \"type\": \"string\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"deployIfNotExists\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"deployIfNotExists\"\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-File-Sync\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/06695360-db88-47f6-b976-7500d4297475\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureFilePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Batch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/4ec38ebc-381f-45ee-81a4-acbc4be878f8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureBatchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-App\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7a860e27-9ca2-4fc6-822d-c2d248c300df\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-Site-Recovery\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/942bd215-1a66-44be-af65-6a1c0318dbe2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAsrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoT\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/aaa64d2d-2fa3-45e5-b332-0b031b9b30e8\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-KeyVault\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ac673a9a-f77d-4846-b2d8-a57f8e1c01d4\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureKeyVaultPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-SignalR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b0e86710-7fb7-4a6c-a064-32e9b829509e\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureSignalRPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-AppServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/b318f84a-b872-429b-ac6d-a01b96814452\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAppServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridTopics\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/baf19753-7502-405f-8745-370519b20483\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridTopicsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-DiskAccess\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/bc05b96c-0b36-4ca9-82f0-5c53f96ce05a\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureDiskAccessPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveServices\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c4bc6f10-cb41-49eb-b000-d5ab82e2a091\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveServicesPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-IoTHubs\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/c99ce9c1-ced7-4c3e-aca0-10e69ce0cb02\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureIotHubsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventGridDomains\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/d389df0a-e0d7-4607-833c-75a6fdac2c2d\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventGridDomainsPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect1')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-RedisCache\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e016b22b-e0eb-436d-8fd7-160c4eaed6e2\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureRedisCachePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ACR\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/e9585a95-5b8c-4d03-b193-dc7eb5ac4c32\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureAcrPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-EventHubNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ed66d4f5-8220-45dc-ab4a-20d1749c74e6\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureEventHubNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-MachineLearningWorkspace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ee40564d-486e-4f68-a5ca-7a621edae0fb\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureMachineLearningWorkspacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-ServiceBusNamespace\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f0fcf93c-c063-4071-9668-c47474bd3564\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureServiceBusNamespacePrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DINE-Private-DNS-Azure-CognitiveSearch\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/fbc14a67-53e4-4932-abcc-2049c6706009\",\n        \"parameters\": {\n          \"privateDnsZoneId\": {\n            \"value\": \"[[parameters('azureCognitiveSearchPrivateDnsZoneId')]\"\n          },\n          \"effect\": {\n            \"value\": \"[[parameters('effect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}",
-    "$fxv#161": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
+    "$fxv#160": "{\n  \"name\": \"Enforce-Encryption-CMK\",\n  \"type\": \"Microsoft.Authorization/policySetDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"displayName\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"description\": \"Deny or Audit resources without Encryption with a customer-managed key (CMK)\",\n    \"metadata\": {\n      \"version\": \"2.0.0\",\n      \"category\": \"Encryption\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"ACRCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Container registries should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/acr/CMK.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"AksCmkEffect\": {\n        \"metadata\": {\n          \"displayName\": \"Azure Kubernetes Service clusters both operating systems and data disks should be encrypted by customer-managed keys\",\n          \"description\": \"Encrypting OS and data disks using customer-managed keys provides more control and greater flexibility in key management. This is a common requirement in many regulatory and industry compliance standards.\"\n        },\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ]\n      },\n      \"WorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)\",\n          \"description\": \"Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/azureml-workspaces-cmk.\"\n        }\n      },\n      \"CognitiveServicesCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)\",\n          \"description\": \"Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"CosmosCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/cosmosdb-cmk.\"\n        }\n      },\n      \"DataBoxCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Data Box jobs should use a customer-managed key to encrypt the device unlock password\",\n          \"description\": \"Use a customer-managed key to control the encryption of the device unlock password for Azure Data Box. Customer-managed keys also help manage access to the device unlock password by the Data Box service in order to prepare the device and copy data in an automated manner. The data on the device itself is already encrypted at rest with Advanced Encryption Standard 256-bit encryption, and the device unlock password is encrypted by default with a Microsoft managed key.\"\n        }\n      },\n      \"StreamAnalyticsCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"audit\",\n        \"allowedValues\": [\n          \"audit\",\n          \"deny\",\n          \"disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Stream Analytics jobs should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys when you want to securely store any metadata and private data assets of your Stream Analytics jobs in your storage account. This gives you total control over how your Stream Analytics data is encrypted.\"\n        }\n      },\n      \"SynapseWorkspaceCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Synapse workspaces should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Use customer-managed keys to control the encryption at rest of the data stored in Azure Synapse workspaces. Customer-managed keys deliver double encryption by adding a second layer of encryption on top of the default encryption with service-managed keys.\"\n        }\n      },\n      \"StorageCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Storage accounts should use customer-managed key (CMK) for encryption, no deny as this would result in not able to create storage account because the first need of MSI for encryption\",\n          \"description\": \"Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data.\"\n        }\n      },\n      \"SqlServerTDECMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n\t        \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"SQL servers should use customer-managed keys to encrypt data at rest\",\n          \"description\": \"Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement.\"\n        }\n      },\n      \"AzureBatchCMKEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"Audit\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Azure Batch account should use customer-managed keys to encrypt data\",\n          \"description\": \"Use customer-managed keys (CMKs) to manage the encryption at rest of your Batch account's data. By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at https://aka.ms/Batch-CMK.\"\n        }\n      },\n      \"EncryptedVMDisksEffect\": {\n        \"type\": \"String\",\n        \"defaultValue\": \"AuditIfNotExists\",\n        \"allowedValues\": [\n          \"AuditIfNotExists\",\n          \"Disabled\"\n        ],\n        \"metadata\": {\n          \"displayName\": \"Disk encryption should be applied on virtual machines\",\n          \"description\": \"Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations.\"\n        }\n      }\n    },\n    \"policyDefinitions\": [\n      {\n        \"policyDefinitionReferenceId\": \"ACRCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('ACRCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AksCmkDeny\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/7d7be79c-23ba-4033-84dd-45e2a5ccdd67\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AksCmkEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"WorkspaceCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/ba769a63-b8cc-4b2d-abf6-ac33c7204be8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('WorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CognitiveServicesCMK\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/67121cc7-ff39-4ab8-b7e3-95b84dab487d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CognitiveServicesCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"CosmosCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/1f905d99-2ab7-462c-a6b0-f709acca6c8f\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('CosmosCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"DataBoxCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/86efb160-8de7-451d-bc08-5d475b0aadae\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('DataBoxCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StreamAnalyticsCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/87ba29ef-1ab3-4d82-b763-87fcd4f531f7\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StreamAnalyticsCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SynapseWorkspaceCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/f7d52b2d-e161-4dfa-a82b-55e564167385\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SynapseWorkspaceCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"StorageCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/6fac406b-40ca-413b-bf8e-0bf964659c25\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('StorageCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"SqlServerTDECMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0a370ff3-6cab-4e85-8995-295fd854c5b8\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('SqlServerTDECMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"AzureBatchCMKEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/99e9ccd8-3db9-4592-b0d1-14b1715a4d8a\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('AzureBatchCMKEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      },\n      {\n        \"policyDefinitionReferenceId\": \"EncryptedVMDisksEffect\",\n        \"policyDefinitionId\": \"/providers/Microsoft.Authorization/policyDefinitions/0961003e-5a0a-4549-abde-af6a37f2724d\",\n        \"parameters\": {\n          \"effect\": {\n            \"value\": \"[[parameters('EncryptedVMDisksEffect')]\"\n          }\n        },\n        \"groupNames\": []\n      }\n    ],\n    \"policyDefinitionGroups\": null\n  }\n}\n",
     "$fxv#17": "{\n  \"name\": \"Deny-PublicIP\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"Indexed\",\n    \"displayName\": \"[Deprecated] Deny the creation of public IP\",\n    \"description\": \"[Deprecated] This policy denies creation of Public IPs under the assigned scope. Superseded by https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html using appropriate assignment parameters.\",\n    \"metadata\": {\n      \"deprecated\": true,\n      \"supersededBy\": \"6c112d4e-5bc7-47ae-a041-ea2d9dccd749\",\n      \"version\": \"1.0.0-deprecated\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        }\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"field\": \"type\",\n        \"equals\": \"Microsoft.Network/publicIPAddresses\"\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}",
     "$fxv#18": "{\n  \"name\": \"Deny-RDP-From-Internet\",\n  \"type\": \"Microsoft.Authorization/policyDefinitions\",\n  \"apiVersion\": \"2021-06-01\",\n  \"scope\": null,\n  \"properties\": {\n    \"policyType\": \"Custom\",\n    \"mode\": \"All\",\n    \"displayName\": \"[Deprecated] RDP access from the Internet should be blocked\",\n    \"description\": \"This policy denies any network security rule that allows RDP access from Internet. This policy is superseded by https://www.azadvertizer.net/azpolicyadvertizer/Deny-MgmtPorts-From-Internet.html\",\n    \"metadata\": {\n      \"deprecated\": true,\n      \"supersededBy\": \"Deny-MgmtPorts-From-Internet\",\n      \"version\": \"1.0.1-deprecated\",\n      \"category\": \"Network\",\n      \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n      \"alzCloudEnvironments\": [\n        \"AzureCloud\",\n        \"AzureChinaCloud\",\n        \"AzureUSGovernment\"\n      ]\n    },\n    \"parameters\": {\n      \"effect\": {\n        \"type\": \"String\",\n        \"metadata\": {\n          \"displayName\": \"Effect\",\n          \"description\": \"Enable or disable the execution of the policy\"\n        },\n        \"allowedValues\": [\n          \"Audit\",\n          \"Deny\",\n          \"Disabled\"\n        ],\n        \"defaultValue\": \"Deny\"\n      }\n    },\n    \"policyRule\": {\n      \"if\": {\n        \"allOf\": [\n          {\n            \"field\": \"type\",\n            \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n          },\n          {\n            \"allOf\": [\n              {\n                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n                \"equals\": \"Allow\"\n              },\n              {\n                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n                \"equals\": \"Inbound\"\n              },\n              {\n                \"anyOf\": [\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                    \"equals\": \"*\"\n                  },\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                    \"equals\": \"3389\"\n                  },\n                  {\n                    \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]\",\n                    \"equals\": \"true\"\n                  },\n                  {\n                    \"count\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"where\": {\n                        \"value\": \"[[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]\",\n                        \"equals\": \"true\"\n                      }\n                    },\n                    \"greater\": 0\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"notEquals\": \"*\"\n                    }\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                      \"notEquals\": \"3389\"\n                    }\n                  }\n                ]\n              },\n              {\n                \"anyOf\": [\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                    \"equals\": \"*\"\n                  },\n                  {\n                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                    \"equals\": \"Internet\"\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                      \"notEquals\": \"*\"\n                    }\n                  },\n                  {\n                    \"not\": {\n                      \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                      \"notEquals\": \"Internet\"\n                    }\n                  }\n                ]\n              }\n            ]\n          }\n        ]\n      },\n      \"then\": {\n        \"effect\": \"[[parameters('effect')]\"\n      }\n    }\n  }\n}\n",
     "$fxv#19": "{\n    \"name\": \"Deny-MgmtPorts-From-Internet\",\n    \"type\": \"Microsoft.Authorization/policyDefinitions\",\n    \"apiVersion\": \"2021-06-01\",\n    \"scope\": null,\n    \"properties\": {\n        \"policyType\": \"Custom\",\n        \"mode\": \"All\",\n        \"displayName\": \"Management port access from the Internet should be blocked\",\n        \"description\": \"This policy denies any network security rule that allows management port access from the Internet\",\n        \"metadata\": {\n            \"version\": \"2.1.0\",\n            \"category\": \"Network\",\n            \"source\": \"https://github.com/Azure/Enterprise-Scale/\",\n            \"replacesPolicy\": \"Deny-RDP-From-Internet\",\n            \"alzCloudEnvironments\": [\n                \"AzureCloud\",\n                \"AzureChinaCloud\",\n                \"AzureUSGovernment\"\n            ]\n        },\n        \"parameters\": {\n            \"effect\": {\n                \"type\": \"String\",\n                \"metadata\": {\n                    \"displayName\": \"Effect\",\n                    \"description\": \"Enable or disable the execution of the policy\"\n                },\n                \"allowedValues\": [\n                    \"Audit\",\n                    \"Deny\",\n                    \"Disabled\"\n                ],\n                \"defaultValue\": \"Deny\"\n            },\n            \"ports\": {\n                \"type\": \"Array\",\n                \"metadata\": {\n                    \"displayName\": \"Ports\",\n                    \"description\": \"Ports to be blocked\"\n                },\n                \"defaultValue\": [\n                    \"22\",\n                    \"3389\"\n                ]\n            }\n        },\n        \"policyRule\": {\n            \"if\": {\n                \"anyOf\": [\n                    {\n                        \"allOf\": [\n                            {\n                                \"field\": \"type\",\n                                \"equals\": \"Microsoft.Network/networkSecurityGroups/securityRules\"\n                            },\n                            {\n                                \"allOf\": [\n                                    {\n                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/access\",\n                                        \"equals\": \"Allow\"\n                                    },\n                                    {\n                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/direction\",\n                                        \"equals\": \"Inbound\"\n                                    },\n                                    {\n                                        \"anyOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                                                \"equals\": \"*\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange\",\n                                                \"in\": \"[[parameters('ports')]\"\n                                            },\n                                            {\n                                                \"count\": {\n                                                    \"value\": \"[[parameters('ports')]\",\n                                                    \"where\": {\n                                                        \"value\": \"[[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current())),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),int(current()))), 'false')]\",\n                                                        \"equals\": \"true\"\n                                                    }\n                                                },\n                                                \"greater\": 0\n                                            },\n                                            {\n                                                \"count\": {\n                                                    \"value\": \"[[parameters('ports')]\",\n                                                    \"name\": \"ports\",\n                                                    \"where\": {\n                                                        \"count\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                            \"where\": {\n                                                                \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n                                                                \"equals\": \"true\"\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    }\n                                                },\n                                                \"greater\": 0\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                    \"notEquals\": \"*\"\n                                                }\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]\",\n                                                    \"notIn\": \"[[parameters('ports')]\"\n                                                }\n                                            }\n                                        ]\n                                    },\n                                    {\n                                        \"anyOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                                                \"equals\": \"*\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix\",\n                                                \"equals\": \"Internet\"\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                                                    \"notEquals\": \"*\"\n                                                }\n                                            },\n                                            {\n                                                \"not\": {\n                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]\",\n                                                    \"notEquals\": \"Internet\"\n                                                }\n                                            }\n                                        ]\n                                    }\n                                ]\n                            }\n                        ]\n                    },\n                    {\n                        \"allOf\": [\n                            {\n                                \"field\": \"type\",\n                                \"equals\": \"Microsoft.Network/networkSecurityGroups\"\n                            },\n                            {\n                                \"count\": {\n                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*]\",\n                                    \"where\": {\n                                        \"allOf\": [\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].access\",\n                                                \"equals\": \"Allow\"\n                                            },\n                                            {\n                                                \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].direction\",\n                                                \"equals\": \"Inbound\"\n                                            },\n                                            {\n                                                \"anyOf\": [\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n                                                        \"equals\": \"*\"\n                                                    },\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange\",\n                                                        \"in\": \"[[parameters('ports')]\"\n                                                    },\n                                                    {\n                                                        \"count\": {\n                                                            \"value\": \"[[parameters('ports')]\",\n                                                            \"name\": \"ports\",\n                                                            \"where\": {\n                                                                \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRange'), '-'))),int(current('ports')))), 'false')]\",\n                                                                \"equals\": \"true\"\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    },\n                                                    {\n                                                        \"count\": {\n                                                            \"value\": \"[[parameters('ports')]\",\n                                                            \"name\": \"ports\",\n                                                            \"where\": {\n                                                                \"count\": {\n                                                                    \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                                    \"where\": {\n                                                                        \"value\": \"[[if(and(not(empty(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'))), contains(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'),'-')), and(lessOrEquals(int(first(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports'))),greaterOrEquals(int(last(split(current('Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]'), '-'))),int(current('ports')))) , 'false')]\",\n                                                                        \"equals\": \"true\"\n                                                                    }\n                                                                },\n                                                                \"greater\": 0\n                                                            }\n                                                        },\n                                                        \"greater\": 0\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                            \"notEquals\": \"*\"\n                                                        }\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].destinationPortRanges[*]\",\n                                                            \"notIn\": \"[[parameters('ports')]\"\n                                                        }\n                                                    }\n                                                ]\n                                            },\n                                            {\n                                                \"anyOf\": [\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n                                                        \"equals\": \"*\"\n                                                    },\n                                                    {\n                                                        \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefix\",\n                                                        \"equals\": \"Internet\"\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n                                                            \"notEquals\": \"*\"\n                                                        }\n                                                    },\n                                                    {\n                                                        \"not\": {\n                                                            \"field\": \"Microsoft.Network/networkSecurityGroups/securityRules[*].sourceAddressPrefixes[*]\",\n                                                            \"notEquals\": \"Internet\"\n                                                        }\n                                                    }\n                                                ]\n                                            }\n                                        ]\n                                    }\n                                },\n                                \"greater\": 0\n                            }\n                        ]\n                    }\n                ]\n            },\n            \"then\": {\n                \"effect\": \"[[parameters('effect')]\"\n            }\n        }\n    }\n}",
@@ -407,10 +406,10 @@
         "[variables('$fxv#107')]",
         "[variables('$fxv#108')]",
         "[variables('$fxv#109')]",
-        "[variables('$fxv#110')]",
-        "[variables('$fxv#111')]"
+        "[variables('$fxv#110')]"
       ],
       "AzureCloud": [
+        "[variables('$fxv#111')]",
         "[variables('$fxv#112')]",
         "[variables('$fxv#113')]",
         "[variables('$fxv#114')]",
@@ -424,10 +423,10 @@
         "[variables('$fxv#122')]",
         "[variables('$fxv#123')]",
         "[variables('$fxv#124')]",
-        "[variables('$fxv#125')]",
-        "[variables('$fxv#126')]"
+        "[variables('$fxv#125')]"
       ],
       "AzureChinaCloud": [
+        "[variables('$fxv#126')]",
         "[variables('$fxv#127')]",
         "[variables('$fxv#128')]",
         "[variables('$fxv#129')]",
@@ -435,46 +434,45 @@
         "[variables('$fxv#131')]",
         "[variables('$fxv#132')]",
         "[variables('$fxv#133')]",
-        "[variables('$fxv#134')]",
-        "[variables('$fxv#135')]"
+        "[variables('$fxv#134')]"
       ],
       "AzureUSGovernment": [
+        "[variables('$fxv#135')]",
         "[variables('$fxv#136')]",
-        "[variables('$fxv#137')]",
-        "[variables('$fxv#138')]"
+        "[variables('$fxv#137')]"
       ]
     },
     "loadPolicySetDefinitions": {
       "All": [
+        "[variables('$fxv#138')]",
         "[variables('$fxv#139')]",
         "[variables('$fxv#140')]",
         "[variables('$fxv#141')]",
         "[variables('$fxv#142')]",
         "[variables('$fxv#143')]",
-        "[variables('$fxv#144')]",
-        "[variables('$fxv#145')]"
+        "[variables('$fxv#144')]"
       ],
       "AzureCloud": [
+        "[variables('$fxv#145')]",
         "[variables('$fxv#146')]",
         "[variables('$fxv#147')]",
         "[variables('$fxv#148')]",
         "[variables('$fxv#149')]",
-        "[variables('$fxv#150')]",
-        "[variables('$fxv#151')]"
+        "[variables('$fxv#150')]"
       ],
       "AzureChinaCloud": [
+        "[variables('$fxv#151')]",
         "[variables('$fxv#152')]",
         "[variables('$fxv#153')]",
         "[variables('$fxv#154')]",
-        "[variables('$fxv#155')]",
-        "[variables('$fxv#156')]"
+        "[variables('$fxv#155')]"
       ],
       "AzureUSGovernment": [
+        "[variables('$fxv#156')]",
         "[variables('$fxv#157')]",
         "[variables('$fxv#158')]",
         "[variables('$fxv#159')]",
-        "[variables('$fxv#160')]",
-        "[variables('$fxv#161')]"
+        "[variables('$fxv#160')]"
       ]
     },
     "policyDefinitionsByCloudType": {
diff --git a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
index cde4991896..263b8425e6 100644
--- a/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
+++ b/eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.23.1.45101",
-      "templateHash": "191901335711845632"
+      "version": "0.24.24.22086",
+      "templateHash": "7374068324501208275"
     }
   },
   "variables": {

From 52925f351c5a88d87da7560f5919a852e3e431ee Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 21 Dec 2023 17:00:24 +0400
Subject: [PATCH 7/8] Update to assignment

---
 eslzArm/eslzArm.json | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json
index b1eb57a00d..0c4e6b59ac 100644
--- a/eslzArm/eslzArm.json
+++ b/eslzArm/eslzArm.json
@@ -941,6 +941,7 @@
             "govMdfcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/gov/fairfaxDINE-MDFCConfigPolicyAssignment.json')]",
             "costOptimizationPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json')]",
             "zoneResilientPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ZoneResilientPolicyAssignment.json')]",
+            "resourceRgLocationPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json')]",
             "VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]",
             "diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]",
             // references to https://github.com/Azure/azure-monitor-baseline-alerts
@@ -1026,6 +1027,7 @@
             "denyClassicResourcePolicyDeploymentName": "[take(concat('alz-NoClassicResource', variables('deploymentSuffix')), 64)]",
             "costOptimizationDeploymentName": "[take(concat('alz-CostOptimization', variables('deploymentSuffix')), 64)]",
             "zoneResilientDeploymentName": "[take(concat('alz-ZoneResilient', variables('deploymentSuffix')), 64)]",
+            "resourceRgLocationDeploymentName": "[take(concat('alz-ResourceRGLoc', variables('deploymentSuffix')), 64)]",
             "denyVMUnmanagedDiskPolicyDeploymentName": "[take(concat('alz-NoUnmanagedDiskResource', variables('deploymentSuffix')), 64)]",
             "ztnPhase1PidCuaDeploymentName": "[take(concat('pid-', variables('ztnPhase1CuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]",
             "ambaPortalPidCuaDeploymentName": "[take(concat('pid-', variables('ambaPortalCuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]",
@@ -1876,6 +1878,30 @@
                     }
                 }
             }
+        }, 
+        {
+            // Assigning Audit resource location matches resource group location policy to intermediate root management group
+            "condition": "[or(not(empty(parameters('managementSubscriptionId'))), not(empty(parameters('singlePlatformSubscriptionId'))))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').resourceRgLocationDeploymentName]",
+            "scope": "[variables('scopes').eslzRootManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "policyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').resourceRgLocationPolicyAssignment]"
+                },
+                "parameters": {
+                    "enforcementMode": {
+                        "value": "Default"
+                    }
+                }
+            }
         },        
         {
             // Assigning Azure Security Center configuration policy initiative to intermediate root management group if condition is true

From bbab71c71123766e3a6cd3c2751974f4c04a5280 Mon Sep 17 00:00:00 2001
From: Sacha Narinx <Springstone@users.noreply.github.com>
Date: Thu, 21 Dec 2023 17:41:47 +0400
Subject: [PATCH 8/8] Update non-compliance message

---
 .../AUDIT-ResourceRGLocationPolicyAssignment.json               | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
index 41aea32ae7..283cf25ac6 100644
--- a/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
+++ b/eslzArm/managementGroupTemplates/policyAssignments/AUDIT-ResourceRGLocationPolicyAssignment.json
@@ -25,7 +25,7 @@
             "displayName": "Resource Group and Resource locations should match"
         },
         "nonComplianceMessage": {
-            "message": "Resources {enforcementMode} be Zone Resilient.",
+            "message": "Resources {enforcementMode} be deployed in the same region as the Resource Group.",
             "Default": "must",
             "DoNotEnforce": "should"
         }