Skip to content

Policy catalog (pick & choose)

The management-groups module deliberately ships zero policy assignments by default. Customers pick which ALZ-aligned built-in initiatives to assign and at which scope, via the policy_assignments map.

Set enable_policies = true to deploy them. The variable doubles as a kill switch — flip to false to suppress every assignment without removing the map entries.

policy_assignments = {
"Deny-MgmtPorts-Internet" = { # name (≤24 chars)
scope_mg_key = "landingzones" # any MG key from the hierarchy
policy_definition = "/providers/Microsoft.Authorization/policyDefinitions/22730e10-96f6-4aac-ad84-9383d35b5917"
enforce = true # true = Default, false = DoNotEnforce (Audit)
parameters = {} # optional, map(any) — keys match initiative parameters
not_scopes = [] # optional, list of MG/sub/RG IDs to exempt
identity_type = "None" # None | SystemAssigned | UserAssigned
location = null # required if identity_type != "None"
non_compliance_msg = null # optional human-readable message
}
}

Copy any of these into your tfvars. Verify the definition ID against the Azure Portal or azadvertizer.net before applying — definitions evolve.

NameScopePolicy
Deny-MgmtPorts-InternetlandingzonesBlock public RDP/SSH on NSGs — 22730e10-96f6-4aac-ad84-9383d35b5917
Deny-Public-IPcorpDisallow public IP creation on Corp workloads (use the ALZ ESLZ network initiative)
NameScopePolicy
Allowed-LocationsrootRestrict resources to your approved regions — e56962a6-4747-49cd-b67b-bf8b01975c4c
Allowed-RG-LocationsrootSame for resource groups — e765b5de-1225-4ba3-bd56-1ac6695af988
NameScopePolicy
Deploy-MDFC-ConfigrootConfigure ASC default initiative — /providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8
NameScopePolicy
Deploy-Diag-ActivityrootSend activity logs to Log Analytics
Deploy-VM-MonitoringlandingzonesAuto-deploy AMA + DCR for VMs

Azure Local disconnected workloads (ALZ 2026.04 — preview)

Section titled “Azure Local disconnected workloads (ALZ 2026.04 — preview)”
NameScopePolicy
Restrict-Local-DisconnlocalRestrict resource types to those supported in Azure Local disconnected ops — dabf7c7f-5354-42de-a92a-8367f538dd71. Start with enforce = false (Audit), then flip to true after validating disconnected workload requirements.

Sovereign Public Cloud (per ALZ 2026.04 SLZ update)

Section titled “Sovereign Public Cloud (per ALZ 2026.04 SLZ update)”

If your workloads must align to sovereign control levels L1/L2/L3, see the Microsoft Learn sovereign controls page and assign:

  • L1 — Data residency: [Preview]: Enforce Data Residency across Azure Services
  • L2 — Encryption-at-rest: [Preview]: Enforce Encryption-at-Rest with CMK (AKV Premium) and the Managed-HSM variant
  • L2 — Encryption-in-transit: [Preview]: Enforce Encryption-in-Transit — HTTPS and — TLS Version
  • L3 — Encryption-in-use: [Preview]: Enforce Encryption-in-Use across Azure Services (Confidential Compute)

These are built-in initiatives published by the Sovereign Public product group — you don’t have to copy them into your repo.

For every new assignment, deploy with enforce = false and watch the Azure Policy compliance dashboard for a few days. Flip to true once you’ve fixed the existing non-compliant resources or added the necessary not_scopes exemptions.

  • aka.ms/alz/policies — the ALZ default policy library
  • azadvertizer.net — searchable, with current definition IDs
  • az policy definition list --query "[?policyType=='BuiltIn'].{name:name, displayName:displayName}" -o table