Azure Landing Zones – Policy Refresh Q1 FY25

ALZ – The Q1 2025 policy refresh is here!

As you know, the ALZ Team release cycle is now quarterly to help our customers and partners manage changes to their environment. Additionally, based on feedback from our community, partners, and customers that we will only introduce breaking changes semi-annually, this release does not contain any breaking changes as it has been 3 months since the last breaking change (FY24 H2).

While we have a generally “quiet” time during the summer (in the Northern Hemisphere), the ALZ team has taken advantage and worked hard to improve. security, quality and trustworthy ALZ’s policy.

security

Security is a core priority at Microsoft.

As more Azure services support TLS 1.3 are released, we’ve updated all custom minimum TLS version policies to support TLS versions 1.2 and 1.3. We are aware of out-of-the-box policies owned by other product teams that need updating, and we will work with them. in the next few months).

Most importantly, we’ve introduced the option to audit the use of (now with an increased number of opt-outs): virtual network private subnet, Via built-in policy “The subnet must be private.”. This is a key security feature because resources in the subnet do not have direct access to the Internet, but must pass through a firewall or NAT gateway to egress, thereby reducing leakage options for potentially compromised resources. We encourage partners and customers to review this content in their own environments. More information on this topic can be found here. “Native outbound access in Azure – MS Learn”.

It also covers other topics, such as disabling local authentication for automation accounts, which is a best practice.

quality

This involved a lot of backend work and scripting to improve contribution tests to meet the high standards consumers expect, including improving custom policy contribution tests, but most notably a complete overhaul of deployment tests using the ARM reference implementation ( powered through a portal) experience). You can now perform full deployments based on characteristics that only change policy to the networking topology of your choice, significantly reducing the time required to perform end-to-end testing for every release.

While this doesn’t directly benefit consumers, it means we can get more work done as an ALZ team because our testing is improved and more efficient, which means ALZ puts more into each release to help consumers benefit. This means you can add it.

AI Ready

Microsoft is investing heavily in the AI ​​space, and ALZ plays a critical role in driving its adoption at scale.

We are working with our internal teams as they prepare to provide prescriptive guidance to customers leveraging Azure AI Services in their tenants. To support these teams and ensure customers are following best practices to secure Azure AI Services in their tenants, we are releasing important updates to the following recommended policies and initiatives:

• Azure OpenAI
• Cognitive Service/Search -> AI Service
• machine learning
• Bot Service (New) -> AI Bot Service

| memo: Some services will be renamed (as shown above).

If you are using a portal accelerator, the options to configure it are under “Workload-specific compliance.” This has been enhanced to provide a more friendly user experience journey and allows you to define the scope of coverage as before.

If you would like to benefit from our amazing policy work in the AI ​​space, please visit: wiki page Details and links to all policies mentioned above are included.

general

We’ve also made a number of small changes to our policies and initiatives to bring them up to date and best-in-class, and we’ve added some highly requested features, like adding the option to select full or audit-only diagnostic settings logs to send to Log Analytics.

We’ve updated the initiative to use the latest built-in policy version and added additional configuration options. It’s all based on feedback from the field (keep us posted!).

closing

ALZ policy refreshes will be released first to the portal environment (since this is where we currently host policy definitions and initiatives as a source of information), and it will take some time for these updates to be incorporated into other reference implementations, such as: If you use an implementation such as Terraform, Bicep, etc., check the release notes for that repository.

If you have suggestions for ALZ, please submit a GitHub issue to: https://aka.ms/alz/repo.

We also regularly introduce new features (https://aka.ms/alz/whatsnew) It contains all the details about what has changed, including any updates required between major releases.

And lastly, be sure to attend community calls. https://aka.ms/alz/communitycall Held every three months to discuss releases and catch up on previous recordings at the same link!