Policy Refresh Q4FY23

[Springstone]

Overview/Summary

Policy Refresh for Q4 FY23.

This PR fixes/adds/changes/removes

Policy

• Fixed default assignment for SQLEncryption (DINE-SQLEncryptionPolicyAssignment) to use the correct policy definition.
• Added new default assignment for SQLThreatDetection (DINE-SQLThreatPolicyAssignment) to use the previous policy definition from DINE-SQLEncryptionPolicyAssignment.
• Updated the assignment DINE-LogAnalyticsPolicyAssignment (Deploy-Log-Analytics) to default enforcement mode to "DoNotEnforce". The Log Analytics workspace is deployed directly by the reference implementations, and as a result this policy is no longer required to deploy the Log Analytics workspace. Retaining the assignment for auditing purposes.
• Added new custom policies for:
  • Storage Accounts with custom domains assigned should be denied - Deny-StorageAccount-CustomDomain
  • File Services with insecure Kerberos ticket encryption should be denied - Deny-FileServices-InsecureKerberos
  • File Services with insecure SMB channel encryption should be denied - Deny-FileServices-InsecureSMBChannel
  • File Services with insecure SMB versions should be denied - Deny-FileServices-InsecureSMBVersions
  • File Services with insecure authentication methods should be denied - Deny-FileServices-InsecureAuth
  • 'User Defined Routes with 'Next Hop Type' set to 'Internet' or 'VirtualNetworkGateway' should be denied'
  • 'Storage Accounts with SFTP enabled should be denied'
  • 'Subnets without Private Endpoint Network Policies enabled should be denied'
• Updated Deploy-Diagnostics-APIMgmt.json to support resource-specific destination table in the diagnostic setting for API Management.
• Updated Deploy-Diagnostics-LogAnalytics.json policy initiative with new parameter to support resource-specific destination table in the diagnostic setting for API Management.
• Deprecated policy Deny-MachineLearning-PublicNetworkAccess.
• Update initiative Deny-PublicPaaSEndpoints to replace deprecated policy Deny-MachineLearning-PublicNetworkAccess with builtin 438c38d2-3772-465a-a9cc-7a6666a275ce.
• Deprecated policy Deny-PublicEndpoint-MariaDB.
• Update initiative Deny-PublicPaaSEndpoints to replace deprecated policy Deny-PublicEndpoint-MariaDB with builtin fdccbe47-f3e3-4213-ad5d-ea459b2fa077 - special note: US Gov/Fairfax still uses the now deprecated policy as the builtin is not yet available.

Tooling

• Updated Portal Accelerator tooltips to provide more relevance and links to associated policies or initiatives.

Breaking Changes

1. N/A

Testing Evidence

Please provide any testing evidence to show that your Pull Request works/fixes as described and planned (include screenshots, if appropriate).

Testing URLs

Azure Public

As part of this Pull Request I have

• Checked for duplicate Pull Requests
• Associated it with relevant issues, for tracking and closure.
• Ensured my code/branch is up-to-date with the latest changes in the main branch
• Performed testing and provided evidence.
• Ensured contribution guidance is followed.
• Updated relevant and associated documentation.
• Updated the "What's New?" wiki page (located: /docs/wiki/whats-new.md)

[jtracey93]

LGTM