Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Policy Refresh H1FY26

Open Springstone opened this issue 2 months ago • 0 comments

This pull request introduces several updates and improvements to Azure Landing Zones policies and documentation, with a focus on security benchmarking, compliance, and Kubernetes deprecation detection. The most significant changes include the addition of the Microsoft Cloud Security Benchmark v2 initiative, updates to existing policy definitions, and new custom policies to improve compliance and security posture.

Policy and Initiative Updates:

  • Added support for the new built-in initiative "Microsoft Cloud Security Benchmark v2" (e3ec7e09-768c-4b64-882c-fcada3772047), including ARM template changes to assign this initiative by default at the intermediate root management group scope if Defender for Cloud and Log Analytics are enabled. This allows customers to evaluate and prepare for the transition to the new security benchmark. [1] [2] [3] [4] [5]
  • Updated policy references in documentation to use new initiative URLs and versions, reflecting the latest compliance requirements (e.g., updated links for "Enforce-Encryption-CMK" and "Enforce-Guardrails-Network"). [1] [2]

New and Updated Policy Definitions:

  • Added a new custom policy Audit-AKS-kubenet to detect AKS clusters using the deprecated 'kubenet' network plugin, with default effect set to "Audit". This policy is included in the "Enforce-Guardrails-Kubernetes" initiative. [1] [2]
  • Updated policy Deny-FileServices-InsecureSmbChannel to version 2.0.0, improving compliance checks for storage accounts created with maximum compatibility. [1] [2]
  • Updated policy Deny-FileServices-InsecureSmbVersions to version 1.1.0, adding checks for storage accounts with protocolSettings.smb.versions set to null to ensure accurate compliance reporting.

Documentation Improvements:

  • Added a new section "🔃 Policy Refresh H1 FY26" to the changelog, summarizing the latest policy additions and updates, including AKS kubenet deprecation detection, SQL authentication guardrails, and new security benchmark initiatives. [1] [2]
  • Updated policy and initiative names and descriptions in documentation tables to reflect new versions and align with current Azure best practices.

These changes help keep Azure Landing Zones up-to-date with evolving security standards and provide customers with improved tools for compliance and governance.

Springstone avatar Dec 11 '25 10:12 Springstone