Policy Refresh H1FY26 #2105
Policy Refresh H1FY26 #2105
Conversation
jtracey93
left a comment
jtracey93
left a comment
There was a problem hiding this comment.
Some comments - also see my ping in teams about some more policies we may want to add.
Also lets merge this PR first and completing the release before we get to moving the wiki in this other PR Azure/Azure-Landing-Zones#165
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json
Outdated
Show resolved
Hide resolved
src/resources/Microsoft.Authorization/policySetDefinitions/Enforce-Guardrails-Kubernetes.json
Outdated
Show resolved
Hide resolved
eslzArm/managementGroupTemplates/policyAssignments/DINE-ASB2PolicyAssignment.json
Show resolved
Hide resolved
jtracey93
left a comment
jtracey93
left a comment
There was a problem hiding this comment.
@Springstone a few comments for your review:
- I don't see the spreadsheet also updated?
- "What's new" has conflicts
Aside from that it LGTM, thanks as always - let me know when these 2 things are resolved and updated and we can merge and release
There was a problem hiding this comment.
Pull request overview
This PR introduces a comprehensive policy refresh for H1 FY26, updating Azure Landing Zones policies to align with evolving security standards and deprecation announcements. The primary focus is on enhancing security benchmarking, improving SQL authentication guardrails, and detecting deprecated Kubernetes configurations.
Changes:
- Added new custom policy to detect AKS clusters using deprecated kubenet network plugin
- Introduced Microsoft Cloud Security Benchmark v2 initiative assignment for preview evaluation
- Updated SQL, KeyVault, and Storage policies with enhanced compliance checks and typo corrections
Reviewed changes
Copilot reviewed 15 out of 17 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Audit-AKS-kubenet.json | New policy to audit AKS clusters using kubenet network plugin scheduled for deprecation |
| Enforce-Guardrails-SQL.json | Added policies to enforce Entra-only authentication for SQL databases |
| Enforce-Guardrails-Kubernetes.json | Integrated new kubenet audit policy with configurable effect parameter |
| Enforce-Guardrails-KeyVault.json | Corrected typos in HSM-related parameter names (Hms → Hsm) |
| Deploy-ASC-SecurityContacts.json | Added attack path severity parameter for enhanced security monitoring |
| Deny-FileServices-InsecureSmbVersions.json | Added null check for storage accounts created with maximum compatibility |
| Deny-FileServices-InsecureSmbChannel.json | Added null check for SMB channel encryption compatibility |
| DINE-ASB2PolicyAssignment.json | New policy assignment for Microsoft Cloud Security Benchmark v2 initiative |
| eslzArm.json | Integrated ASB2 initiative and updated region mappings for private DNS zones |
| Whats-new.md | Documented all policy changes in H1 FY26 refresh section |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json
Outdated
Show resolved
Hide resolved
...sources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbVersions.json
Outdated
Show resolved
Hide resolved
...esources/Microsoft.Authorization/policyDefinitions/Deny-FileServices-InsecureSmbChannel.json
Outdated
Show resolved
Hide resolved
src/resources/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts.json
Show resolved
Hide resolved
…-ASC-SecurityContacts.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Spreadsheet is updated in the ALZ Library as part of the policy docs migration. I've updated it here as well, but is moving. |
…ileServices-InsecureSmbVersions.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…ileServices-InsecureSmbChannel.json Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
…rprise-Scale into policy-refresh-h1fy26
This pull request introduces several updates and improvements to Azure Landing Zones policies and documentation, with a focus on security benchmarking, compliance, and Kubernetes deprecation detection. The most significant changes include the addition of the Microsoft Cloud Security Benchmark v2 initiative, updates to existing policy definitions, and new custom policies to improve compliance and security posture.
Policy and Initiative Updates:
e3ec7e09-768c-4b64-882c-fcada3772047), including ARM template changes to assign this initiative by default at the intermediate root management group scope if Defender for Cloud and Log Analytics are enabled. This allows customers to evaluate and prepare for the transition to the new security benchmark. [1] [2] [3] [4] [5]New and Updated Policy Definitions:
Audit-AKS-kubenetto detect AKS clusters using the deprecated 'kubenet' network plugin, with default effect set to "Audit". This policy is included in the "Enforce-Guardrails-Kubernetes" initiative. [1] [2]Deny-FileServices-InsecureSmbChannelto version 2.0.0, improving compliance checks for storage accounts created with maximum compatibility. [1] [2]Deny-FileServices-InsecureSmbVersionsto version 1.1.0, adding checks for storage accounts withprotocolSettings.smb.versionsset tonullto ensure accurate compliance reporting.Documentation Improvements:
These changes help keep Azure Landing Zones up-to-date with evolving security standards and provide customers with improved tools for compliance and governance.