policyAssignments/CAF-RootMG-Default.json
|
{
"nodeName": "/Root/", "scope": { "tenant1": [ "/providers/Microsoft.Management/managementGroups/toplevelmanagementgroup" ] }, "parameters": { "logAnalytics": "", "logAnalytics_1": "", "emailSecurityContact": "", "ascExportResourceGroupName": "", "ascExportResourceGroupLocation": "" }, "children": [ { "nodeName": "Security/", "children": [ { "nodeName": "ASB", "assignment": { "name": "Deploy-ASC-Monitoring", "displayName": "Microsoft Cloud Security Benchmark", "description": "Microsoft Cloud Security Benchmark policy initiative" }, "definitionEntry": { "policySetName": "1f3afdf9-d0c9-4c3d-847f-89da613e70a8", "friendlyNameToDocumentIfGuid": "Microsoft Cloud Security Benchmark" }, "parameters": {} }, { "nodeName": "MDFC", "assignment": { "name": "Deploy-MDFC-Config", "displayName": "Deploy Microsoft Defender for Cloud configuration", "description": "Deploy Microsoft Defender for Cloud and Security Contacts" }, "definitionEntry": { "policySetName": "Deploy-MDFC-Config", "friendlyNameToDocumentIfGuid": "Microsoft Defender For Cloud" }, "parameters": { "enableAscForServers": "Disabled", "enableAscForSql": "Disabled", "enableAscForAppServices": "Disabled", "enableAscForStorage": "Disabled", "enableAscForContainers": "Disabled", "enableAscForKeyVault": "Disabled", "enableAscForSqlOnVm": "Disabled", "enableAscForArm": "Disabled", "enableAscForDns": "Disabled", "enableAscForOssDb": "Disabled", "enableAscForCosmosDbs": "Disabled" } } ] }, { "nodeName": "Logging/", "children": [ { "nodeName": "ActivityLogs", "assignment": { "name": "Deploy-AzActivity-Log", "displayName": "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace", "description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace." }, "definitionEntry": { "policyName": "2465583e-4e78-4c15-b6be-a36cbc7c8b0f", "friendlyNameToDocumentIfGuid": "Activity Logs" }, "parameters": {} }, { "nodeName": "ResourceDiagnostics", "assignment": { "name": "Deploy-Resource-Diag", "displayName": "Deploy-Resource-Diag", "description": "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace." }, "definitionEntry": { "policySetName": "Deploy-Diagnostics-LogAnalytics", "friendlyNameToDocumentIfGuid": "Resource Diagnostics" }, "parameters": {} }, { "nodeName": "VMMonitoring", "assignment": { "name": "Deploy-VM-Monitoring", "displayName": "Enable Azure Monitor for VMs", "description": "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter." }, "definitionEntry": { "policySetName": "55f3eceb-5573-4f18-9695-226972c6d74a", "friendlyNameToDocumentIfGuid": "VM Monitoring" } }, { "nodeName": "VMSSMonitoring", "assignment": { "name": "Deploy-VMSS-Monitoring", "displayName": "Enable Azure Monitor for Virtual Machine Scale Sets", "description": "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances." }, "definitionEntry": { "policySetName": "75714362-cae7-409e-9b99-a8e5075b7fad", "friendlyNameToDocumentIfGuid": "VMSS Monitoring" } } ] } ] } |