Azure Landing Zones - Policy Refresh Q1 FY25
ALZ - Policy Refresh Q1 FY25 is here!
As you may be aware, the ALZ team release cadence is now on quarterly basis to help customers and partners manage change in their environments. Additionally, based on feedback from our community, partners and customers that we will only introduce breaking changes every half-year, this release, being 3 months since the last breaking change (FY24 H2), therefore does not contain any breaking changes.
With the generally "quiet" time over the summer (in the northern hemisphere), the ALZ team have taken advantage and worked on enhancing security, quality and reliability of ALZ's Policies.
Security
As a core priority for Microsoft, security comes first.
We've updated all our custom minimum TLS version policies to support TLS version 1.2 AND 1.3 as more Azure services roll out supporting TLS 1.3 (we are aware of built-in policies owned by other product teams that require updating and will be working with them in the months ahead).
Most significantly we've introduced the option to audit (for now but over time will increase to deny) the use of virtual network private subnets, via the built-in policy "Subnets should be private". This is a key security feature that ensures resources in a subnet cannot access the internet directly but must either go through a firewall or NAT gateway to egress, reducing exfiltration options for potentially compromised resources. We encourage our partners and customers to review this in their environments, more information can be found here on this topic "Default outbound access in Azure - MS Learn".
We're also addressing other items like disabling local authentication for automation accounts, which is a best practice.
Quality
This involved a lot of backend work and scripting to improve testing of contributions to meet the high standards our consumers expect, including enhancements to testing of custom policy contributions but most notably a complete overhaul of deployment testing using the ARM reference implementation (driven through the portal experience). We can now do full deployments depending on the nature of changes from policy only to selected networking topologies, significantly reducing the many hours needed to do end to end testing with every release.
Whilst this doesnt directly benefit our consumers, it does mean we can complete more work as an ALZ team as testing is enhanced and more efficient which in turn means ALZ can add more in each release for our consumers to benefit from.
AI Ready
Microsoft is heavily invested in the AI space, and ALZ plays a part in driving it's adoption at scale.
We're working with internal teams preparing to provide prescriptive guidance for customers leveraging Azure AI Services in their tenants. To support these teams and ensuring customers are following best practices securing the Azure AI Services in their tenants, we are releasing significant updates to our recommended policies and initiatives for:
- Azure OpenAI
- Cognitive Services/Search -> AI Services
- Machine Learning
- Bot Service (new) -> AI Bot Services
| Note: some services are changing names (as indicated above)
For those using the portal accelerator, the options to configure this are under "Workload Specific Compliance", which has been enhanced to provide a more friendly user experience journey and as before allows you to define the scope to apply:
For those just looking to benefit from our awesome policy work in the AI space, head to our wiki page that contains details and links to all of the policies mentioned above.
General
We have also made a number of small changes to policies and initiatives to update to the latest and greatest, or added much asked for features like adding the option to select either ALL or AUDIT only diagnostic settings logs to be sent to Log Analytics.
We updated initiatives to use a newer built-in policy versions, added additional configuration options - all driven by feedback from the field (please keep it coming!)
Closing
Do note that the ALZ Policy Refresh is released first to the portal experience (as this is where we currently host policy definitions & initiatives as a source of truth), and it takes a short time before these updates are incorporated in the other reference implementations like Terraform, Bicep, etc. Please do check the release notes on those repositories if you are using those implementations.
If you have suggestions for ALZ, please do submit a GitHub Issue over at https://aka.ms/alz/repo.
Please do also regularly review our What's New (https://aka.ms/alz/whatsnew), as this includes all the details of what has changed, including any updates needed between major releases.
And finally make sure to attend our community call https://aka.ms/alz/communitycall which we host every 3 months and discuss releases and also catch-up on the recordings of the previous ones at the same link!
Published on:
Learn moreRelated posts
Building on Vercel’s eve + Azure Cosmos DB: An Agent That Remembers
Most “AI agent” demos forget everything the moment the process exits. That’s fine for a toy project, but useless for anythin...
Copilot Studio – Environment-level agent telemetry export to Azure Application Insights (Preview)
We are announcing the ability for administrators to export Copilot Studio agent telemetry at the environment level to Azure Application Insigh...
See our new Azure Cosmos DB Design Patterns
Design patterns are where good data modeling lives or dies. In a NoSQL database like Azure Cosmos DB, the difference between a schema that sca...
Need a different partition key in Azure Cosmos DB? Pick the right approach
Once you create a container, its partition key is fixed at creation, and you can’t change it in place. However, if your original key starts ca...
Azure SDK Release (June 2026)
Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (June 2026) ap...
Fundamentals of Azure DevOps with SQL projects
Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...
Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers
Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...
What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)
We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...
Power Automate Flow — HTTP Trigger to Azure OpenAI
Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...
Spring AI 2.0 is GA: Vector Search, Memory, and Agents on Azure Cosmos DB
The wait is over. Spring AI 2.0 is generally available, and Azure Cosmos DB is right there with it. With this release, Spring AI graduates int...