policyAssignments/CAF-Sandbox-Default.json

{
    "$schema": "https://raw.githubusercontent.com/Azure/enterprise-azure-policy-as-code/main/Schemas/policy-assignment-schema.json",
    "nodeName": "/Sandbox/",
    "scope": {
        "tenant1": [
            "/providers/Microsoft.Management/managementGroups/sandbox"
        ]
    },
    "children": [
        {
            "nodeName": "Guardrails",
            "assignment": {
                "name": "Enforce-ALZ-Sandbox",
                "displayName": "Enforce ALZ Sandbox Guardrails",
                "description": "This initiative will help enforce and govern subscriptions that are placed within the Sandbox Management Group. See https://aka.ms/alz/policies for more information."
            },
            "definitionEntry": {
                "policySetName": "Enforce-ALZ-Sandbox"
            },
            "parameters": {
                "listOfResourceTypesNotAllowed": [
                    "microsoft.network/expressroutecircuits",
                    "microsoft.network/expressroutegateways",
                    "microsoft.network/virtualwans",
                    "microsoft.network/virtualhubs",
                    "microsoft.network/vpngateways",
                    "microsoft.network/vpnsites"
                ]
            },
            "nonComplianceMessages": [
                {
                    "message": "ALZ Sandbox Guardrails must be enforced."
                }
            ]
        }
    ]
}