Updating exemption for securityContacts to reflect the expected, as of both MCSB and what the policy deploys

[JonasCordsen]

Updating exemption for securityContacts to reflect the expected, as of both MCSB and what the policy deploys

Overview/Summary

The securityContacts does not evaluate if the notificationsByRole is set, so if previous settings had been made, this policy would be compliant, but he audit from MCSB would be non-compliant

This PR fixes/adds/changes/removes

1. Adding an existenceCondition to ensure that notificationsByRole state is on and that in contains the role Owner

Breaking Changes

1. None

Testing Evidence

Adding the definition to my own branch, and ensuring the when to non-compliant and that a remediation of the policy caused the subscriptions to become compliant

Testing URLs

The below URLs can be updated where the placeholders are, look for {YOUR GITHUB BRANCH NAME HERE - Remove Curly Brackets Also} & {YOUR GITHUB BRANCH NAME HERE - Remove Curly Brackets Also}, to allow you to test your portal deployment experience.

Please also replace the curly brackets on the placeholders {}

Azure Public

Azure US Gov (Fairfax)

As part of this Pull Request I have

• Checked for duplicate Pull Requests
• Associated it with relevant issues, for tracking and closure.
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Ensured contribution guidance is followed.
• Updated relevant and associated documentation.
• Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

[JonasCordsen]

@Springstone Hey, j just updated with a another linter so it follows what you require, so need a new review :)

[JonasCordsen]

@jtracey93, @Springstone
Hello Jack and Sacha, hoping to get this reviewed when possible, can one of you maybe take a look?
Or for at start letting the linters run? xD

[JonasCordsen]

@Springstone and/or @jtracey93

Any change that one of you can take a look at this PR? :)

[Springstone]

@JonasCordsen apologies for the delay in getting back to you. A lot of change is impacting our focus.
There are additional changes required to this policy for it to be effective, so will review soonest. Also ensure any changes are documented in What's New please.

[JonasCordsen]

Hello @Springstone Thank you for getting back to me.
I completely understand that there are a lot of demands on your time :)

If there is anything I can do or change in this, please let me know
I will gladly make the required change to help speeding this change up

[Springstone]

Hi @JonasCordsen. Sorry for the huge gap in response... most of the folks in this team have moved around, and we have other priorities - but we're getting back to business. For this PR, we have bigger issues as currently, this policy is never compliant due to alias/API changes. New additions like "attack path", the change of severity levels to string instead of array, etc. I'm trying to get it to work with your contribution and will include it in the upcoming policy refresh. You will get credit for your contribution in What's New for sure, maybe not through this PR though. Hope you understand.