[pull] main from Azure:main

docs/wiki/ALZ-Deprecated-Services.md

@@ -21,6 +21,6 @@ Over time, a deprecation process of there `ALZ / custom` policies will have to t
 
 | Deprecated ALZ Policy IDs                     | Superseded by built-in policy IDs    | Justification                                                            |
 |-----------------------------------------------|--------------------------------------|--------------------------------------------------------------------------|
-| Deploy-Nsg-FlowLogs | e920df7f-9a64-4066-9b58-52684c02a091 | Custom policy replaced by built-in requires less administration overhead |
-| Deploy-Nsg-FlowLogs-to-LA | e920df7f-9a64-4066-9b58-52684c02a091 | Custom policy replaced by built-in requires less administration overhead |
-| Deny-PublicIP | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 | Custom policy replaced by built-in requires less administration overhead |½
+| Deploy-Nsg-FlowLogs | [e920df7f-9a64-4066-9b58-52684c02a091](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html?) | Custom policy replaced by built-in requires less administration overhead |
+| Deploy-Nsg-FlowLogs-to-LA | [e920df7f-9a64-4066-9b58-52684c02a091](https://www.azadvertizer.net/azpolicyadvertizer/e920df7f-9a64-4066-9b58-52684c02a091.html?) | Custom policy replaced by built-in requires less administration overhead |
+| Deny-PublicIP | [6c112d4e-5bc7-47ae-a041-ea2d9dccd749](https://www.azadvertizer.net/azpolicyadvertizer/6c112d4e-5bc7-47ae-a041-ea2d9dccd749.html?) | Custom policy replaced by built-in requires less administration overhead |½

docs/wiki/ALZ-Policies.md

@@ -65,7 +65,7 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
 | -------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------- | ------- |
 | **Deploy Microsoft Defender for Cloud configuration**                      | **Deploy Microsoft Defender for Cloud configuration**                            | `Policy Definition Set`, **Custom**   | Configures all the MDFC settings, such as Microsoft Defender for Cloud per individual service, security contacts, and export from MDFC to Log Analytics workspace                                                                                                                                                                                                                    | DeployIfNotExists                   | 3.0.0   |
 | **Deploy-Resource-Diag**                                                   | **Deploy Diagnostic Settings to Azure Services**                                 | `Policy Definition Set`, **Custom**   | This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace.                                                                                                                                                                                                                                | DeployIfNotExists                   | 1.0.0   |
-| **Enable Monitoring in Azure Security Center**                             | **Azure Security Benchmark**                                                     | `Policy Definition Set`, **Built-in** | The Azure Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Azure Security Benchmark v2, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. | Audit, AuditIfNotExists, Disabled   | 49.0.0  |
+| **Enable Monitoring in Azure Security Center**                             | **Azure Security Benchmark**                                                     | `Policy Definition Set`, **Built-in** | The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v1, see https://aka.ms/azsecbm. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center. | Audit, AuditIfNotExists, Disabled   | 49.0.0  |
 | **Enable Azure Monitor for VMs**                                           | **Enable Azure Monitor for VMs**                                                 | `Policy Definition Set`, **Built-in** | Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter                                                                                                                                                                                                            | DeployIfNotExists, AuditIfNotExists | 2.0.0   |
 | **Enable Azure Monitor for Virtual Machine Scale Sets**                    | **Enable Azure Monitor for Virtual Machine Scale Sets**                          | `Policy Definition Set`, **Built-in** | Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances.          | DeployIfNotExists, AuditIfNotExists | 1.0.1   |
 | **Deploy Diagnostic Settings for Activity Log to Log Analytics workspace** | **Configure Azure Activity logs to stream to specified Log Analytics workspace** | `Policy Definition`, **Built-in**     | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events                                                                                                                                                                                                                              | DeployIfNotExists                   | 1.0.0   |

docs/wiki/Deploying-ALZ-Pre-requisites.md

@@ -47,7 +47,7 @@ Powershell:
 Connect-AzAccount
 
 #get object Id of  the current user (that is used above)
-$user = Get-AzADUser -UserPrincipalName (Get-AzContext).Account
+$user = Get-AzAduser -SignedIn
 
 #assign Owner  role to Tenant root scope ("/") as a User Access Administrator
 New-AzRoleAssignment -Scope '/' -RoleDefinitionName 'Owner' -ObjectId $user.Id

docs/wiki/Whats-new.md

@@ -51,10 +51,12 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
 #### Docs
 
-- Renamed Azure DDoS Standard Protection references to [Azure DDoS Network Protection](https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison#ddos-network-protection).
+- Renamed Azure DDoS Standard Protection references to [Azure DDoS Network Protection](https://learn.microsoft.com/azure/ddos-protection/ddos-protection-sku-comparison#ddos-network-protection).
 - Added ALZ deprecated [policies section](Deprecating-ALZ-Policies.md) to the Wiki.
 - Included documentation on how to [Migrate ALZ custom policies to Azure builtin policies](migrate-alz-policies-to-builtin.md) to the Wiki.
-
+- Added links to the superseding policies on the [ALZ Deprecated Services](./ALZ-Deprecated-Services.md) page.
+- Renamed Azure Security Benchmark references to [Microsoft Cloud Security Benchmark](https://learn.microsoft.com/security/benchmark/azure/introduction).
+
 #### Tooling
 
 - Updated ALZ Portal Accelerator to support all available Availability Zones as listed [here](https://learn.microsoft.com/azure/reliability/availability-zones-service-support#azure-regions-with-availability-zone-support)
@@ -72,6 +74,20 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
   - Version 1.0.0 -> 1.1.0
   - Added system databases master, model, tempdb, msdb, resource to exclusion parameter as default values
   - Added as Policy Rule 'notIn' which will exclude the above databases from the policy
+- Updated "**Deploy-Private-DNS-Zones**" Custom initiative for **Azure Public Cloud**, with latest built-in Policies. Policies were added for the following Services:
+  - Azure Automation
+  - Azure Cosmos DB (all APIs: SQL, MongoDB, Cassandra, Gremlin, Table)
+  - Azure Data Factory
+  - Azure HDInsight
+  - Azure Migrate (missing Private DNS Zone also added)
+  - Azure Storage (Blob, Queue, File, Static Web, DFS and all relative secondaries)
+  - Azure Synapse Analytics
+  - Azure Media Services
+  - Azure Monitor
+- Minor fixes related to "**Deploy-Private-DNS-Zones**" Custom Initiative and respective Assignment:
+  - Added missing Zones for **"WebPubSub"** and **"azure-devices-provisioning"**, so Initiative Assignment works correctly
+  - Minor correction related to **ASR Private DNS Zone variable**, so Initiative Assignment works correctly
+  - Convertion of **"Azure Batch"** Private DNS Zone (from regional to global), to properly align with latest respective documentation and functionality
 - Renamed Azure DDoS Standard Protection references to [Azure DDoS Network Protection](https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-sku-comparison#ddos-network-protection). 
 - Incremented version for policy Deploy-DDoSProtection from "version":"1.0.0" to "version": "1.0.1"
 - Added `Configure Microsoft Defender for Azure Cosmos DB to be enabled` to the `Deploy Microsoft Defender for Cloud configuration` initiative and updated version to `3.1.0` - Fixing issue [issue #1081](https://github.com/Azure/Enterprise-Scale/issues/1081)
@@ -89,6 +105,17 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
   | Deploy-Nsg-FlowLogs                            | e920df7f-9a64-4066-9b58-52684c02a091 |
   | Deny-PublicIp                                  | 6c112d4e-5bc7-47ae-a041-ea2d9dccd749 |
 
+- "**"Deploy-ASC-SecurityContacts"**" definition update
+  - displayName and description update to "Deploy Microsoft Defender for Cloud Security Contacts"
+  - Added new parameter `minimalSeverity` with settings
+    - Default value `High`
+    - Allowed values: `High`, `Medium`, `Low`
+
+- "**"Deploy-MDFC-Config"**" definition update
+  - Updated policy definitions set Deploy-MDFC-Config, Deploy-MDFC-Config(US Gov), Deploy-MDFC-Config (China)
+    - added new parameter `minimalSeverity`.
+    - added default value for multiple  parameters. 
+
 ### Other
 
 - *No updates, yet.*

eslzArm/README-AzureChina.md

@@ -147,7 +147,7 @@ New-AzManagementGroupDeployment -Name "$($DeploymentName)-mdfc-config" `
                                 -emailContactAsc $SecurityContactEmailAddress `
                                 -Verbose
 
-# Assign Azure Policy to enable Azure Security Benchmark, deployed to top level management group
+# Assign Azure Policy to enable Microsoft Cloud Security Benchmark, deployed to top level management group
 
 New-AzManagementGroupDeployment -Name "$($DeploymentName)-asb" `
                                 -Location $Location `

eslzArm/README.md

@@ -189,7 +189,7 @@ New-AzManagementGroupDeployment -Name "$($DeploymentName)-mdfc-config" `
                                 -emailContactAsc $SecurityContactEmailAddress `
                                 -Verbose
 
-# Assign Azure Policy to enable Azure Security Benchmark, deployed to top level management group
+# Assign Azure Policy to enable Microsoft Cloud Security Benchmark, deployed to top level management group
 
 New-AzManagementGroupDeployment -Name "$($DeploymentName)-asb" `
                                 -Location $Location `

eslzArm/eslzArm.json

@@ -891,7 +891,7 @@
             "privatelink.cassandra.cosmos.azure.com",
             "privatelink.gremlin.cosmos.azure.com",
             "privatelink.table.cosmos.azure.com",
-            "[concat('privatelink.', parameters('connectivityLocation'), '.batch.azure.com')]",
+            "privatelink.batch.azure.com",
             "privatelink.postgres.database.azure.com",
             "privatelink.mysql.database.azure.com",
             "privatelink.mariadb.database.azure.com",
@@ -925,7 +925,10 @@
             "privatelink.azurehdinsight.net",
             "privatelink.his.arc.azure.com",
             "privatelink.guestconfiguration.azure.com",
-            "privatelink.media.azure.net"
+            "privatelink.media.azure.net",
+            "privatelink.prod.migration.windowsazure.com",
+            "privatelink.webpubsub.azure.com",
+            "privatelink.azure-devices-provisioning.net"
         ],
         "azBackupGeoCodes": {
             "australiacentral": "acl",
@@ -1312,7 +1315,7 @@
             }
         },
         {
-            // Assigning Azure Security Benchmark policy to intermediate root management group if condition is true
+            // Assigning Microsoft Cloud Security Benchmark policy to intermediate root management group if condition is true
             "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]",
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",

eslzArm/managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json

@@ -17,8 +17,8 @@
         },
         "policyAssignmentNames": {
             "ascMonitoring": "Deploy-ASC-Monitoring",
-            "description": "Azure Security Benchmark policy initiative",
-            "displayName": "Azure Security Benchmark"
+            "description": "Microsoft Cloud Security Benchmark policy initiative",
+            "displayName": "Microsoft Cloud Security Benchmark"
         }
       },
     "resources": [