Summary
This is a major release, following the update of Azure Landing Zones with its major policy refresh and the transition from Microsoft Monitoring Agent (MMA) to Azure Monitoring Agent (AMA), you can read more in the "What's New" wiki page in the Enterprise-Scale repo. This release incorporates the following changes from the upstream Enterprise Scale repo:
1. Policy Refresh H2 FY24
- Transition to built-in policies for the deployment of diagnostic settings (original assignments will be moved to new definitions).
- Transition to built-in policies for the deployment of Azure Monitor Agent.
Tip
See here for the updated list of all ALZ Default Policy Assignments
Policy Refresh H2 FY24 Cleanup
Existing consumers of ALZ will notice that some "assigned by default" initiative assignments from the ALZ Default Policy Assignment Module have been replaced/renamed to avoid breaking changes to existing assignments.
-
Therefore, the original assignments listed below will need to be deleted within your Azure environments:
Initiative Display Name Original Assignment Name New Assignment Name Scope of Assignment Deploy-MDFC-Config Deploy Microsoft Defender for Cloud configuration Deploy-MDFC-Config Deploy-MDFC-Config-H224 Intermediate Root Management Group Deploy-EncryptTransit Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit Enforce-TLS-SSL Enforce-TLS-SSL-H224 Landing Zones Management Group Deploy-Diagnostics-LogAnalytics Deploy Diagnostic Settings to Azure Services Deploy-Resource-Diag Deploy-Diag-Logs Intermediate Root Management Group
2. AMA Updates
The Microsoft Monitoring Agent (MMA) is deprecated, and all related assignment files have been removed, though the policy definitions files remain. We now assign policies that deploy the Azure Monitor Agent (AMA) instead of MMA.
The ALZ team have a number of pieces of guidance you can utilise to understand the MMA deprecation (aka AMA migration) steps: aka.ms/alz/ama/blog
New resources
- A user-assigned managed identity (UAMI) for the AMA agent to authenticate with Azure Monitor (this requires no special role assignments; any valid identity will suffice)
- Data collection rule for VM Insights
- Data collection rule for Change Tracking
- Data collection rule for Defender for SQ
Microsoft Monitoring Agent (MMA) Cleanup
As MMA resources were deployed using Azure Policy (DeployIfNotExists), they will not be cleaned up automatically. Manual cleanup of these resources is required. Please refer to the product group guidance on how to clean up the MMA resources.
Legacy Policy Cleanup
Existing consumers of ALZ will notice that some "assigned by default" initiative assignments from the ALZ Default Policy Assignment Module have been replaced/renamed to avoid breaking changes to existing assignments.
-
Therefore, the original assignments listed below will need to be deleted within your Azure environments:
Assignment Name Display Name Scope of Assignment Deploy-MDFC-DefenSQL-AMA Configure SQL VMs and Arc-enabled SQL Servers to install Microsoft Defender for SQL and AMA with a user-defined LA workspace Platform Management Group
Landing Zones Management GroupDeploy-UAMI-VMInsights Deploy User Assigned Managed Identity for VM Insights Landing Zones Management Group
Important
Going forward, this ALZ Default Policy Assignments Module and Logging Module will not support MMA and will only support AMA. If you wish to continue using MMA, you will need to manage it outside of these modules.
What's Changed
- Add OpenSSF Scorecard by @jaredfholgate in #789
- Enhancement: Policy Refresh H2 FY24 and Changes for AMA by @oZakari in #785
- bug: Fix invalid allowed value for hubRoutingPreference by @oZakari #797
Breaking Changes
- With the fix for #780, we changed the allowed value within the param to specify the hub routing preference from
ASNtoAsPath
Full Changelog: v0.17.5...v0.18.0