Azure Landing Zones - Policy Refresh Q1 FY25
ALZ - Policy Refresh Q1 FY25 is here!
As you may be aware, the ALZ team release cadence is now on quarterly basis to help customers and partners manage change in their environments. Additionally, based on feedback from our community, partners and customers that we will only introduce breaking changes every half-year, this release, being 3 months since the last breaking change (FY24 H2), therefore does not contain any breaking changes.
With the generally "quiet" time over the summer (in the northern hemisphere), the ALZ team have taken advantage and worked on enhancing security, quality and reliability of ALZ's Policies.
Security
As a core priority for Microsoft, security comes first.
We've updated all our custom minimum TLS version policies to support TLS version 1.2 AND 1.3 as more Azure services roll out supporting TLS 1.3 (we are aware of built-in policies owned by other product teams that require updating and will be working with them in the months ahead).
Most significantly we've introduced the option to audit (for now but over time will increase to deny) the use of virtual network private subnets, via the built-in policy "Subnets should be private". This is a key security feature that ensures resources in a subnet cannot access the internet directly but must either go through a firewall or NAT gateway to egress, reducing exfiltration options for potentially compromised resources. We encourage our partners and customers to review this in their environments, more information can be found here on this topic "Default outbound access in Azure - MS Learn".
We're also addressing other items like disabling local authentication for automation accounts, which is a best practice.
Quality
This involved a lot of backend work and scripting to improve testing of contributions to meet the high standards our consumers expect, including enhancements to testing of custom policy contributions but most notably a complete overhaul of deployment testing using the ARM reference implementation (driven through the portal experience). We can now do full deployments depending on the nature of changes from policy only to selected networking topologies, significantly reducing the many hours needed to do end to end testing with every release.
Whilst this doesnt directly benefit our consumers, it does mean we can complete more work as an ALZ team as testing is enhanced and more efficient which in turn means ALZ can add more in each release for our consumers to benefit from.
AI Ready
Microsoft is heavily invested in the AI space, and ALZ plays a part in driving it's adoption at scale.
We're working with internal teams preparing to provide prescriptive guidance for customers leveraging Azure AI Services in their tenants. To support these teams and ensuring customers are following best practices securing the Azure AI Services in their tenants, we are releasing significant updates to our recommended policies and initiatives for:
- Azure OpenAI
- Cognitive Services/Search -> AI Services
- Machine Learning
- Bot Service (new) -> AI Bot Services
| Note: some services are changing names (as indicated above)
For those using the portal accelerator, the options to configure this are under "Workload Specific Compliance", which has been enhanced to provide a more friendly user experience journey and as before allows you to define the scope to apply:
For those just looking to benefit from our awesome policy work in the AI space, head to our wiki page that contains details and links to all of the policies mentioned above.
General
We have also made a number of small changes to policies and initiatives to update to the latest and greatest, or added much asked for features like adding the option to select either ALL or AUDIT only diagnostic settings logs to be sent to Log Analytics.
We updated initiatives to use a newer built-in policy versions, added additional configuration options - all driven by feedback from the field (please keep it coming!)
Closing
Do note that the ALZ Policy Refresh is released first to the portal experience (as this is where we currently host policy definitions & initiatives as a source of truth), and it takes a short time before these updates are incorporated in the other reference implementations like Terraform, Bicep, etc. Please do check the release notes on those repositories if you are using those implementations.
If you have suggestions for ALZ, please do submit a GitHub Issue over at https://aka.ms/alz/repo.
Please do also regularly review our What's New (https://aka.ms/alz/whatsnew), as this includes all the details of what has changed, including any updates needed between major releases.
And finally make sure to attend our community call https://aka.ms/alz/communitycall which we host every 3 months and discuss releases and also catch-up on the recordings of the previous ones at the same link!
Published on:
Learn moreRelated posts
How to Integrate Azure Service Bus with Microsoft Dynamics 365 CRM Step by Step with Example?
Keeping data flowing between applications is critical in today’s connected business world. Organizations using Microsoft Dynamics 365 CR...
Enhancing Secure Sign-Ins with Temporary Access Pass in Azure Active Directory
Introduction While working on improving user account recovery scenarios, a common challenge often arises: how to securely allow a user to sign...
Azure SDK Release (September 2025)
Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (September 202...
Batch Processing Triggered Pipeline Runs in Azure Synapse
This post describes a pattern for batch processing triggered pipeline runs in Azure Synapse
Reliably refreshing a Semantic Model from Azure Data Factory or Synapse Pipelines
This post describes a pattern for reliably refreshing Power BI semantic models from Azure Data Factory or Azure Synapse Pipelines.
Power Pages Fundamentals #24: Boosting Portal Security with Azure Single Sign-On: Quick Read Series
Contoso Motors is a large automotive service company.They have built a Power Pages customer portal for their external partners and customers t...
Building Azure functions that never store secrets — ever
What if your function could hit Microsoft Graph with no client secrets, no certs, and no Key Vault entries? That is exactly what a Managed id...
Azure Functions missing after zip deploy from GitHub Actions
Learn how to troubleshoot Azure Functions that don't appear after zip deployment from GitHub Actions, including platform architecture configur...