Policy Refresh H1FY26

docs/wiki/ALZ-Policies-Extra.md

@@ -34,7 +34,7 @@ To support the additional control requirements of these industries, we're provid
 
 | Initiative ID | Name | Description | # of Policies |
 |------------|-------------|-------------|-------------|
-| [Enforce-Encryption-CMK](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK.html) | Deny or Audit resources without Encryption with a customer-managed key (CMK) | This policy initiative is a group of policies that ensures Customer Managed Keys is compliant per regulated Landing Zones. | 30 |
+| [Enforce-Encryption-CMK](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Encryption-CMK_20250218.html) | Deny or Audit resources without Encryption with a customer-managed key (CMK) | This policy initiative is a group of policies that ensures Customer Managed Keys is compliant per regulated Landing Zones. | 30 |
 | [Enforce-Guardrails-APIM](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-APIM.html) | Enforce recommended guardrails for API Management | This policy initiative is a group of policies that ensures API Management is compliant per regulated Landing Zones. | 11 |
 | [Enforce-Guardrails-AppServices](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-AppServices.html) | Enforce recommended guardrails for App Service | This policy initiative is a group of policies that ensures App Service is compliant per regulated Landing Zones. | 19 |
 | [Enforce-Guardrails-Automation](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Automation.html) | Enforce recommended guardrails for Automation Account | This policy initiative is a group of policies that ensures Automation Account is compliant per regulated Landing Zones. | 6 |
@@ -53,7 +53,7 @@ To support the additional control requirements of these industries, we're provid
 | [Enforce-Guardrails-Kubernetes](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Kubernetes.html) | Enforce recommended guardrails for Kubernetes | This policy initiative is a group of policies that ensures Kubernetes is compliant per regulated Landing Zones. | 16 |
 | [Enforce-Guardrails-MachineLearning](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MachineLearning.html) | Enforce recommended guardrails for Machine Learning | This policy initiative is a group of policies that ensures Machine Learning is compliant per regulated Landing Zones. | 14 |
 | [Enforce-Guardrails-MySQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-MySQL.html) | Enforce recommended guardrails for MySQL | This policy initiative is a group of policies that ensures MySQL is compliant per regulated Landing Zones. | 2 |
-| [Enforce-Guardrails-Network](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network.html) | Enforce recommended guardrails for Network and Networking services | This policy initiative is a group of policies that ensures Network and Networking services is compliant per regulated Landing Zones. | 22 |
+| [Enforce-Guardrails-Network](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Network_20250326.html) | Enforce recommended guardrails for Network and Networking services | This policy initiative is a group of policies that ensures Network and Networking services is compliant per regulated Landing Zones. | 22 |
 | [Enforce-Guardrails-OpenAI](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-OpenAI.html) | Enforce recommended guardrails for Azure OpenAI (Cognitive Service) | This policy initiative is a group of policies that ensures Azure OpenAI (Cognitive Services) is compliant per regulated Landing Zones. | 11 |
 | [Enforce-Guardrails-PostgreSQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-PostgreSQL.html) | Enforce recommended guardrails for PostgreSQL | This policy initiative is a group of policies that ensures PostgreSQL is compliant per regulated Landing Zones. | 1 |
 | [Enforce-Guardrails-ServiceBus](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-ServiceBus.html) | Enforce recommended guardrails for Service Bus | This policy initiative is a group of policies that ensures Service Bus is compliant per regulated Landing Zones. | 4 |

docs/wiki/ALZ-Policies.md

@@ -83,7 +83,8 @@ The table below provides the specific **Custom** and **Built-in** **policy defin
 | **[Preview]: Deploy Microsoft Defender for Endpoint agent**                                                   | **[Preview]: Deploy Microsoft Defender for Endpoint agent**                                                   | `Policy Definition Set`, **Built-in** | Deploy Microsoft Defender for Endpoint agent on applicable images.                                                                                                                                                                                                                                                                                                                                                                                                                                                              | DeployIfNotExists                 |
 | **Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud** | **Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud** | `Policy Definition Set`, **Built-in** | Configure multiple Microsoft Defender for Endpoint integration settings with Microsoft Defender for Cloud images.                                                                                                                                                                                                                                                                                                                                                                                                               | DeployIfNotExists                 |
 | **Enable allLogs category group resource logging for supported resources to Log Analytics** or                | **Deploy Diagnostic Settings to Azure Services**                                                              | `Policy Definition Set`, **Custom**   | This policy set deploys the configurations of application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace.                                                                                                                                                                                                                                                                                                                                                                           | DeployIfNotExists                 |
-| **Enable Monitoring in Microsoft Defender for Cloud**                                                         | **Azure Security Benchmark**                                                                                  | `Policy Definition Set`, **Built-in** | The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v1, see <https://aka.ms/azsecbm>. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.                                                                                                                      | Audit, AuditIfNotExists, Disabled |
+| **Enable Monitoring in Microsoft Defender for Cloud**                                                         | **Microsoft Cloud Security Benchmark v1**                                                                                  | `Policy Definition Set`, **Built-in** | The Microsoft Cloud Security Benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft Cloud Security Benchmark v1, see <https://aka.ms/azsecbm>. This also serves as the Azure Security Center default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Azure Security Center.                                                                                                                      | Audit, AuditIfNotExists, Disabled |
+| **Enable Monitoring in Microsoft Defender for Cloud v2**                                                         | **Microsoft Cloud Security Benchmark v2**                                                                                  | `Policy Definition Set`, **Built-in** | The Microsoft cloud security benchmark initiative represents the policies and controls implementing security recommendations defined in Microsoft cloud security benchmark, see https://aka.ms/azsecbm. This also serves as the Microsoft Defender for Cloud default policy initiative. You can directly assign this initiative, or manage its policies and compliance results within Microsoft Defender for Cloud.                                                                                                                      | Policy defaults |
 | **Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances**                           | **Configure Azure Defender to be enabled on SQL Servers and SQL Managed Instances**                           | `Policy Definition Set`, **Built-in** | Enable Azure Defender on your SQL Servers and SQL Managed Instances to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.                                                                                                                                                                                                                                                                                                                                          | DeployIfNotExists                 |
 | **Configure Advanced Threat Protection to be enabled on open-source relational databases**                    | **Configure Advanced Threat Protection to be enabled on open-source relational databases**                    | `Policy Definition Set`, **Built-in** | Enable Advanced Threat Protection on your non-Basic tier open-source relational databases to detect anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. See https://aka.ms/AzDforOpenSourceDBsDocu.                                                                                                                                                                                                                                                                        | DeployIfNotExists                 |
 | **Deploy Diagnostic Settings for Activity Log to Log Analytics workspace**                                    | **Configure Azure Activity logs to stream to specified Log Analytics workspace**                              | `Policy Definition`, **Built-in**     | Deploys the diagnostic settings for Azure Activity to stream subscriptions audit logs to a Log Analytics workspace to monitor subscription-level events                                                                                                                                                                                                                                                                                                                                                                         | DeployIfNotExists                 |

docs/wiki/Whats-new.md

@@ -1,6 +1,7 @@
 ## In this Section
 
 - [Updates](#updates)
+  - [🔃 Policy Refresh H1 FY26](#-policy-refresh-h1-fy26)
   - [December 2025](#december-2025)
   - [November 2025](#november-2025)
   - [October 2025](#october-2025)
@@ -62,6 +63,15 @@ This article will be updated as and when changes are made to the above and anyth
 
 Here's what's changed in Enterprise Scale/Azure Landing Zones:
 
+### 🔃 Policy Refresh H1 FY26
+
+- *New* custom policy [Audit-AKS-kubenet](https://www.azadvertizer.net/azpolicyadvertizer/Audit-AKS-kubenet.html) to detect AKS clusters using the deprecated 'kubenet' network plugin. This policy is included in the initiative [Enforce-Guardrails-Kubernetes](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-Kubernetes.html) with the effect defaulted to "Audit". The effect can be changed via the new parameter `aksKubenetEffect`. Deployment scope is defined in deployments; ALZ defaults to the `Platform` and `Landing Zones` management groups. Added as the deprecation of kubenet is planned for 31 March 2028. For more information review [https://learn.microsoft.com/en-us/azure/aks/configure-kubenet](https://learn.microsoft.com/en-us/azure/aks/configure-kubenet). Please review the deprecation announcement on [Azure Updates](https://azure.microsoft.com/en-gb/updates?id=485172).
+- Updated initiative [Enforce-Guardrails-SQL](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/Enforce-Guardrails-SQL.html) to include additional policies to enforce Entra-only authentication for SQL and SQL Managed Instances (prevents changing authentication method after creation).
+- Updated policy [Deny-FileServices-InsecureSmbVersions](https://www.azadvertizer.net/azpolicyadvertizer/Deny-FileServices-InsecureSmbVersions.html) to version 1.1.0. Added a check for storage accounts created with maximum compatibility, which sets the value of `protocolSettings.smb.versions` to `null` - which would have resulted in compliance being incorrectly reported.
+- Updated policy [Deny-FileServices-InsecureSmbChannel](https://www.azadvertizer.net/azpolicyadvertizer/Deny-FileServices-InsecureSmbChannel.html) to version 1.1.0. Added a check for storage accounts created with maximum compatibility, which sets the value of `protocolSettings.smb.channelEncryption` to `null` - which would have resulted in compliance being incorrectly reported.
+- Updated policy [Deploy-ASC-SecurityContacts](https://www.azadvertizer.net/azpolicyadvertizer/Deploy-ASC-SecurityContacts.html) to version 2.1.0. Updated the policy to update the default deployment and compliance check for the new attack path severity parameter, which is defaulted to `critical`.
+- Added the new built-in initiative [Microsoft cloud security benchmark v2](https://www.azadvertizer.net/azpolicyinitiativesadvertizer/e3ec7e09-768c-4b64-882c-fcada3772047.html) to the portal accelerator. This initiative includes updated policies and new controls to align with the latest security best practices. The new initiative is assigned by default (if Defender for Cloud and Log Analytics are enabled) at the Intermediate root management group scope using the default values as defined in the initiative. As this initiative is still in preview, we're are deploying this together with version 1 of the existing Microsoft Cloud Security Benchmark initiative to allow customers to evaluate and prepare for the transition.
+
 ### December 2025
 
 #### Tooling

eslzArm/eslzArm.json

@@ -1911,6 +1911,7 @@
             "resourceGroup": "[uri(deployment().properties.templateLink.uri, 'subscriptionTemplates/resourceGroup.json')]",
             "ddosProtection": "[uri(deployment().properties.templateLink.uri, 'resourceGroupTemplates/ddosProtection.json')]",
             "asbPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASBPolicyAssignment.json')]",
+            "asb2PolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ASB2PolicyAssignment.json')]",
             "svcHealthBuiltInPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ServiceHealthBuiltInPolicyAssignment.json')]",
             "regulatoryComplianceInitaitves": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/ENFORCE-RegulatoryCompliancePolicyAssignment.json')]",
             "resourceDiagnosticsInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DINE-ResourceDiagnosticsPolicyAssignment.json')]",
@@ -2032,6 +2033,7 @@
             "monitorServiceHealthDeploymentName": "[take(concat('alz-SvcHealthMonitor', variables('deploymentSuffix')), 64)]",
             "monitorServiceHealthBuiltInDeploymentName": "[take(concat('alz-SvcHealthBuiltIn', variables('deploymentSuffix')), 64)]",
             "asbPolicyDeploymentName": "[take(concat('alz-ASB', variables('deploymentSuffix')), 64)]",
+            "asb2PolicyDeploymentName": "[take(concat('alz-ASB2', variables('deploymentSuffix')), 64)]",
             "regulatoryComplianceInitativesToAssignDeploymentName": "[take(concat('alz-RegComp-', deployment().location, '-', uniqueString(parameters('currentDateTimeUtcNow')), '-'), 64)]",
             "resourceDiagnosticsPolicyDeploymentName": "[take(concat('alz-ResourceDiagnostics', variables('deploymentSuffix')), 64)]",
             "activityDiagnosticsPolicyDeploymentName": "[take(concat('alz-ActivityDiagnostics', variables('deploymentSuffix')), 64)]",
@@ -3057,6 +3059,33 @@
                 "parameters": {}
             }
         },
+        {
+            // Assigning Microsoft Cloud Security Benchmark v2 policy to intermediate root management group if condition is true
+            "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2024-11-01",
+            "name": "[variables('deploymentNames').asb2PolicyDeploymentName]",
+            "scope": "[variables('scopes').eslzRootManagementGroup]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]",
+                "alz-prerequisites",
+                "[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
+                "[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').asb2PolicyInitiative]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    }
+                }
+            }
+        },
         {
             // Assigning Service Health built-in policy to intermediate root management group if condition is true
             "condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableServiceHealthBuiltIn'), 'Yes'), equals(parameters('enableServiceHealth'), 'No'))]",